EUVD-2025-16683CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
A maliciously crafted RFA file, when linked or imported into Autodesk Revit, can force a Use-After-Free vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.
Analysis
Use-After-Free vulnerability (CWE-416) in Autodesk Revit triggered by maliciously crafted RFA (Revit Family) files that can be linked or imported into the application. An unauthenticated attacker with local access can exploit this vulnerability to crash the application, exfiltrate sensitive data, or achieve arbitrary code execution with the privileges of the Revit process. The attack requires user interaction (opening/importing a malicious file) but has high impact potential (confidentiality, integrity, and availability all compromised); current KEV and exploitation status unknown without additional intelligence sources.
Technical Context
Autodesk Revit is a Building Information Modeling (BIM) application that processes RFA (Revit Family) files—serialized component definitions used in architectural designs. The vulnerability exists in Revit's RFA file parsing logic, which fails to properly manage memory references when linking or importing these files. CWE-416 (Use-After-Free) indicates that the application references memory that has been deallocated, allowing an attacker to manipulate freed memory regions. This typically occurs in C/C++ codebases where manual memory management is used. A maliciously crafted RFA file likely contains specially formatted data structures that trigger premature deallocation of objects during file parsing, followed by subsequent code paths that attempt to access these freed objects. Affected CPE strings would be: cpe:2.3:a:autodesk:revit:*:*:*:*:*:*:*:* (versions prior to patched release). The RFA file format is Autodesk-proprietary and binary-based, making validation difficult for end-users.
Affected Products
Autodesk Revit (specific version range unknown from provided data; typically affects multiple recent versions). CPE: cpe:2.3:a:autodesk:revit:*:*:*:*:*:*:*:*. The vulnerability is triggered when: (1) RFA files are linked into an open Revit project, or (2) RFA files are imported/inserted as components. Both 32-bit and 64-bit editions of Revit likely affected. Revit versions commonly deployed include 2023, 2024, and 2025 releases; exact patched versions not specified in provided data. Organizations using Revit for architectural design, structural engineering, MEP (Mechanical, Electrical, Plumbing) coordination, or BIM asset libraries are in scope. No vendor advisory link provided in source data.
Remediation
(1) Immediate: Disable RFA file linking/importing functionality in Revit if business operations permit, or restrict user access to untrusted external RFA files. (2) Process-level: Implement file validation workflows—do not open RFA files from untrusted sources (external vendors, internet downloads, unsolicited email attachments). (3) Patch-level: Monitor Autodesk security advisories for a patched Revit version addressing CVE-2025-5036. Once released, deploy patches to all affected Revit installations following change management. (4) Compensating controls: Use application whitelisting to restrict Revit's file I/O, run Revit in sandboxed environments if feasible, and monitor for abnormal Revit process crashes or memory access patterns. (5) Organizational: Educate users on the risks of opening design files from untrusted collaborators; implement code-review processes for externally-sourced RFA files in controlled environments before integration into production BIM models.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today