CVE-2022-25794: 
Autodesk FBX Review vulnerability analysis and mitigation

An Out-Of-Bounds Read Vulnerability was discovered in Autodesk FBX Review version 1.5.2 and prior, identified as CVE-2022-25794. The vulnerability was discovered by Tran Van Khang (khangkito) from VinCSS working with Zero Day Initiative and was publicly disclosed on February 28, 2022. The vulnerability affects Autodesk FBX Review software versions up to 1.5.2 (Vendor Advisory).

The vulnerability exists within the parsing of ActionScript Byte Code (ABC) files, which are created by the Flash compiler and contain executable code. The issue specifically involves an Out-Of-Bounds Read condition when processing these ABC files. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-125 (Out-of-bounds Read) (NVD).

The exploitation of this vulnerability could lead to code execution through maliciously crafted ActionScript Byte Code 'ABC' files or result in information disclosure. When combined with other vulnerabilities, it could potentially lead to code execution in the context of the current process (Vendor Advisory, ZDI Advisory).

Autodesk has released version 1.5.3 of FBX Review to address this vulnerability. The company strongly recommends that customers using affected versions upgrade to the patched version 1.5.3, which is available through the Autodesk Desktop App or the Accounts Portal (Vendor Advisory).