CVE Alert: CVE-2025-10885 - Autodesk - Installer

CVE-2025-10885

HIGHNo exploitation known

A maliciously crafted file, when executed on the victim’s machine, can lead to privilege escalation to NT AUTHORITY/SYSTEM due to an insufficient validation of loaded binaries. An attacker with local and low-privilege access could exploit this to execute code as SYSTEM.

CVSS v3.1 (7.8)

AV LOCAL · AC LOW · PR NONE · UI REQUIRED · S UNCHANGED

Vendor

Autodesk

Product

Installer

Versions

2.18 lt 2.19

CWE

CWE-250, CWE-250 Execution with Unnecessary Privileges

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Published

2025-11-06T17:01:19.327Z

Updated

2025-11-06T17:58:04.357Z

cpe:2.3:a:autodesk:installer:2.18:*:*:*:*:*:*:*

References

https://emsfs.autodesk.com/utility/odis/1/installer/latest/AdODIS-installer.exe

https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0022

AI Summary Analysis

Risk verdict

High risk of local privilege escalation to SYSTEM if a user opens a malicious file; no remote vector implied by the data, but exploitation would be highly impactful once user interaction occurs. Public exploitation is not indicated in the SSVC enrichment.

Why this matters

Gaining SYSTEM privileges on an endpoint enables persistent access, credential access, and potential domain footholds if the device is connected to a network. This can undermine defences, complicate incident response, and enable broader lateral movement with minimal initial access.

Most likely attack path

An attacker crafts a malicious file and persuades a user to run it. The vulnerability stems from insufficient validation of loaded binaries in the local installer component, allowing code execution with SYSTEM privileges after user interaction, without requiring initial admin rights. Lateral movement would depend on subsequent access and network trust.

Who is most exposed

Workstations in design/engineering environments where installers for CAD-type software are routinely deployed; enterprises using Windows endpoints with standard user workloads are most at risk, especially where software is deployed via shared networks or automatic updates.

Detection ideas

Monitor for a user actually executing a suspicious file that triggers SYSTEM-level process creation.
Detect unusual process trees where a user process spawns a SYSTEM-level binary from the installer path.
Look for integrity violations or unexpected binary loading within the installer’s runtime.
Correlate with unusual elevation attempts shortly after file execution.
Alert on installation-related events from non-administrative contexts.

Mitigation and prioritisation

Apply the latest patch (2.19 or newer) immediately; coordinate with change control.
Enforce least privilege and application control (AppLocker/SRP) to block unsigned or untrusted binaries from loading.
Restrict user interactions with installers; require administrative approval for any execution from untrusted locations.
Validate installer provenance (digital signatures, hashes) before execution; consider whitelisting known-good installers.
Review and harden endpoint monitoring for privilege-escalation attempts; if KEV or EPSS indicators exist, treat as priority 1.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: autodesk, CVE, cve-2025-10885, installer, OSINT, threatintel