Multiple vulnerabilities in Autodesk AutoCAD and desktop products



| Updated: 2024-11-01
Risk High
Patch available YES
Number of vulnerabilities 6
CVE-ID CVE-2024-7991
CVE-2024-7992
CVE-2024-8896
CVE-2024-9489
CVE-2024-9996
CVE-2024-9997
CWE-ID CWE-787
CWE-121
CWE-908
CWE-119
Exploitation vector Network
Public exploit N/A
Vulnerable software
Autodesk AutoCAD
Other software / Other software solutions

AutoCAD LT
Client/Desktop applications / Multimedia software

AutoCAD Architecture
Client/Desktop applications / Multimedia software

AutoCAD Electrical
Client/Desktop applications / Multimedia software

AutoCAD Mechanical
Client/Desktop applications / Multimedia software

AutoCAD MEP
Client/Desktop applications / Multimedia software

AutoCAD Plant 3D
Client/Desktop applications / Multimedia software

Autodesk Civil 3D
Client/Desktop applications / Multimedia software

Advance Steel
Client/Desktop applications / Multimedia software

DWG Trueview
Client/Desktop applications / Multimedia software

Vendor Autodesk

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

1) Out-of-bounds write

EUVDB-ID: #VU99498

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-7991

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can create a specially crafted DWG file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Autodesk AutoCAD: 2025

AutoCAD LT: 2025

AutoCAD Architecture: 2025

AutoCAD Electrical: 2025

AutoCAD Mechanical: 2025

AutoCAD MEP: 2025

AutoCAD Plant 3D: 2025

Autodesk Civil 3D: 2025

Advance Steel: 2025

DWG Trueview: 2025

CPE2.3 External links

http://autodesk.com/trust/security-advisories/adsk-sa-2024-0021


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Stack-based buffer overflow

EUVDB-ID: #VU99499

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-7992

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can create a specially crafted DWG file, trick the victim into opening it using the affected software, trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Autodesk AutoCAD: 2025

AutoCAD LT: 2025

AutoCAD Architecture: 2025

AutoCAD Electrical: 2025

AutoCAD Mechanical: 2025

AutoCAD MEP: 2025

AutoCAD Plant 3D: 2025

Autodesk Civil 3D: 2025

Advance Steel: 2025

DWG Trueview: 2025

CPE2.3 External links

http://autodesk.com/trust/security-advisories/adsk-sa-2024-0021


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use of uninitialized resource

EUVDB-ID: #VU99500

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-8896

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to usage of uninitialized resources in acdb25.dll. A remote attacker can trick a victim to open a specially crafted DXF file, trigger uninitialized usage of resources and bypass implemented security mechanisms.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Autodesk AutoCAD: 2025

AutoCAD LT: 2025

AutoCAD Architecture: 2025

AutoCAD Electrical: 2025

AutoCAD Mechanical: 2025

AutoCAD MEP: 2025

AutoCAD Plant 3D: 2025

Autodesk Civil 3D: 2025

Advance Steel: 2025

DWG Trueview: 2025

CPE2.3 External links

http://autodesk.com/trust/security-advisories/adsk-sa-2024-0021
http://www.zerodayinitiative.com/advisories/ZDI-24-1426/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Buffer overflow

EUVDB-ID: #VU99501

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-9489

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in ACAD.exe. A remote attacker can create a specially crafted DWG file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Autodesk AutoCAD: 2025

AutoCAD LT: 2025

AutoCAD Architecture: 2025

AutoCAD Electrical: 2025

AutoCAD Mechanical: 2025

AutoCAD MEP: 2025

AutoCAD Plant 3D: 2025

Autodesk Civil 3D: 2025

Advance Steel: 2025

DWG Trueview: 2025

CPE2.3 External links

http://autodesk.com/trust/security-advisories/adsk-sa-2024-0021
http://www.zerodayinitiative.com/advisories/ZDI-24-1425/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Out-of-bounds write

EUVDB-ID: #VU99502

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-9996

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input in acdb25.dll. A remote attacker can create a specially crafted DWG file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Autodesk AutoCAD: 2025

AutoCAD LT: 2025

AutoCAD Architecture: 2025

AutoCAD Electrical: 2025

AutoCAD Mechanical: 2025

AutoCAD MEP: 2025

AutoCAD Plant 3D: 2025

Autodesk Civil 3D: 2025

Advance Steel: 2025

DWG Trueview: 2025

CPE2.3 External links

http://autodesk.com/trust/security-advisories/adsk-sa-2024-0021
http://www.zerodayinitiative.com/advisories/ZDI-24-1424/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Buffer overflow

EUVDB-ID: #VU99503

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-9997

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in acdb25.dll. A remote attacker can create a specially crafted DWG file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Autodesk AutoCAD: 2025

AutoCAD LT: 2025

AutoCAD Architecture: 2025

AutoCAD Electrical: 2025

AutoCAD Mechanical: 2025

AutoCAD MEP: 2025

AutoCAD Plant 3D: 2025

Autodesk Civil 3D: 2025

Advance Steel: 2025

DWG Trueview: 2025

CPE2.3 External links

http://autodesk.com/trust/security-advisories/adsk-sa-2024-0021
http://www.zerodayinitiative.com/advisories/ZDI-24-1423/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###