Trimble SketchUp CVE-2025-60749
HIGHSeverity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local DLL hijack needs a low-priv foothold with write access to a search-path directory, hence AV:L/PR:L; full code execution yields C:H/I:H/A:H, UI:N assuming helper auto-loads.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
DLL Hijacking vulnerability in Trimble SketchUp desktop 2025 via crafted libcef.dll used by sketchup_webhelper.exe.
AnalysisAI
Local privilege-agnostic code execution in Trimble SketchUp desktop 2025 for Windows occurs when its helper process sketchup_webhelper.exe loads an attacker-supplied libcef.dll from an insecure search path (CWE-427). A local attacker who can drop a crafted DLL into a directory searched by the helper gains full confidentiality, integrity, and availability impact in the context of the running process. No public exploit identified in the provided data, though a third-party technical writeup (yawataa.github.io) documenting the issue exists; EPSS is low at 0.17% (7th percentile), indicating negligible measured exploitation activity.
Technical ContextAI
SketchUp bundles the Chromium Embedded Framework (CEF), whose runtime library libcef.dll is loaded by the auxiliary process sketchup_webhelper.exe. The root cause is CWE-427 (Uncontrolled Search Path Element / DLL hijacking): the executable resolves libcef.dll by name without pinning an absolute trusted path or enforcing signature validation, so Windows' standard DLL search order can be abused to load a malicious DLL placed earlier in the search path (e.g., the application directory or a writable directory that precedes the legitimate library). Because libcef.dll is a large, legitimately-loaded dependency, a substituted DLL can proxy real functionality while executing attacker code, making the hijack difficult to notice at runtime.
Affected ProductsAI
Trimble SketchUp desktop 2025 (Windows desktop client) is affected via the sketchup_webhelper.exe component that loads libcef.dll. Exact patched build numbers and the full range of affected 2025 sub-versions are not enumerated in the provided data; no NVD CPE string was supplied. The vendor download/help resource is referenced at https://help.sketchup.com/zh-CN/downloading-sketchup, and a third-party technical analysis is published at https://yawataa.github.io/2025/10/23/CVE-2025-60749/.
RemediationAI
No vendor-released patch version is identified in the provided data, so obtain the latest SketchUp 2025 desktop build from the official channel (https://help.sketchup.com/zh-CN/downloading-sketchup) and confirm with Trimble whether a fixed release addresses CVE-2025-60749. As compensating controls until a confirmed fix: ensure the SketchUp installation directory and any directory in the helper's DLL search path are not writable by non-administrative users (removing attacker write access breaks the hijack, with minimal functional side effect); apply application allowlisting (e.g., WDAC/AppLocker) to permit only signed, known-good DLLs for sketchup_webhelper.exe (side effect: may block legitimate updates until rules are refreshed); and monitor for unexpected libcef.dll files or unsigned DLL loads by the helper process via EDR. Avoid running SketchUp from shared, world-writable, or network locations that precede the legitimate library in the search order.
Same weakness CWE-427 – Uncontrolled Search Path Element
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today