CVE Alert: CVE-2025-8894 – Autodesk – Revit

**Risk verdict** High risk to Autodesk CAD/BIM users from a PDF parsing heap overflow; no active exploitation flagged in the data, but patching should be treated as urgent.

**Why this matters** A malicious PDF could allow arbitrary code execution within the affected product, potentially exfiltrating data, altering designs, or causing design-workflow downtime. Given widespread use of AutoCAD, Revit and related tools in design firms, a single successful exploit could disrupt projects across multiple teams.

**Most likely attack path** Attacker delivers a crafted PDF; a logged-in user opens it in an affected Autodesk product. The parser vulnerability executes as the current user (no privileges required), via a local attack on a crafted document with user interaction. This can lead to code execution, data access or process crash within the product’s context, with limited preconditions beyond a reachable workstation.

**Who is most exposed** Organisations deploying Autodesk CAD/BIM suites on Windows desktops, especially architecture/engineering consultancies and design studios with shared CAD data and PDF workflows.

Detection ideas

• Crashes and dump generation in Autodesk processes after opening PDFs
• Sudden spikes in memory or CPU during PDF processing
• Event/log entries or crash reports tied to PDF parsing
• Unusual process spawning from AutoCAD/Revit processes
• EDR alerts for memory corruption indicators during PDF handling

Mitigation and prioritisation

• Apply vendor patches to fixed builds (e.g., ≥2026.3 for affected lines; follow Autodesk advisories).
• Patch management: test in staging, then deploy across affected workstations; enable automatic updates if feasible.
• Implement least-privilege and application allowlisting for CAD workstations; restrict local PDF handling where possible.
• User training to avoid opening untrusted PDFs; scan and quarantine PDFs before opening in design apps. If KEV/EPSS data becomes available, reassess prioritisation accordingly.