CVE-2023-25002: 
Autodesk 3ds Max vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2023-25002) was discovered in Autodesk products that affects multiple software versions. The vulnerability was disclosed on June 27, 2023, and impacts several Autodesk products including 3ds Max (2022, 2023), Navisworks (2022, 2023), Revit (2022, 2023), and VRED (2023) (NVD, Autodesk Advisory).

The vulnerability occurs when processing maliciously crafted SKP files in affected Autodesk products, which can trigger a use-after-free condition. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates that the vulnerability requires local access and user interaction but needs no privileges to exploit (NVD).

Successful exploitation of this vulnerability may lead to code execution in the context of the current process. This could potentially allow an attacker to execute arbitrary code with the privileges of the user running the affected Autodesk application (Autodesk Advisory).

Autodesk has released patches for the affected products. Users are strongly recommended to obtain and apply the latest hotfixes via Autodesk Access or the Accounts Portal. The fixed versions include: VRED 2023.3, Revit 2023.1.2/2022.1.4, Navisworks 2023.3/2022.4, and 3ds Max 2023.3.3/2022.3.10. After obtaining the hotfixes, users should reinstall the software to apply them (Autodesk Advisory).