Vulnerability identifier: #VU42184
Vulnerability risk: High
CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Autodesk 3ds Max
Other software /
Other software solutions
Vendor: Autodesk
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input when processing .max files. A remote attacker can trick the victim into opening a malicious .max file and execute arbitrary code on the target system.
Note, this vulnerability is being actively exploited by malware known as PhysXPluginMfx.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
Autodesk 3ds Max: 2015 - 2020
External links
http://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0005
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.