Skip to main content

SOLIDWORKS Visualize CVE-2026-10094

| EUVDEUVD-2026-37560 CRITICAL
Path Traversal (CWE-22)
2026-06-17 3DS
9.8
CVSS 3.1 · Vendor: 3DS
Share

Severity by source

Vendor (3DS) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Description states remote attacker can write arbitrary files on the server with no stated auth or interaction, and arbitrary write typically yields full C/I/A impact via code execution.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (3DS).

CVSS VectorVendor: 3DS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 08:24 vuln.today

DescriptionCVE.org

A Path Traversal vulnerability affecting SOLIDWORKS Visualize from SOLIDWORKS Desktop Release 2024 through SOLIDWORKS Desktop Release 2026 could allow an attacker to write arbitrary files on the server.

AnalysisAI

Arbitrary file write via path traversal in SOLIDWORKS Visualize (bundled with SOLIDWORKS Desktop 2024 through 2026) allows remote attackers to place files at attacker-chosen locations on the server. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates remote, unauthenticated exploitation with high impact across confidentiality, integrity, and availability. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify reachable SOLIDWORKS Visualize host
Delivery
Send request with traversal path
Exploit
Write payload to sensitive directory
Execution
Trigger payload via autorun or scheduled task
Persist
Execute code in Visualize process context
Impact
Pivot to CAD assets and host

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to a SOLIDWORKS Visualize instance from the SOLIDWORKS Desktop 2024-2026 product line that exposes the vulnerable file-write code path; per the CVSS vector (AV:N/AC:L/PR:N/UI:N) no authentication, user interaction, or special configuration is documented as required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 9.8 with AV:N/AC:L/PR:N/UI:N implies a remote, unauthenticated, low-complexity write primitive against a server-side endpoint, which is unusually severe for what is normally marketed as a desktop rendering tool - this discrepancy between the product's typical deployment model and the 'server' wording in the description is the single biggest open question and should be verified against the vendor advisory before treating the network vector as confirmed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reachable over the network sends a crafted request containing a manipulated file path (e.g., '..\..\Windows\System32\Tasks\evil.xml' or a path into a web root) to a SOLIDWORKS Visualize file-handling interface, and the server writes attacker-controlled content to that location. The dropped file is then triggered by an existing autorun, scheduled task, or web request, yielding code execution in the context of the Visualize process. …
Remediation Patch availability is not explicitly confirmed in the provided data; treat the 3DS advisory at https://www.3ds.com/trust-center/security/security-advisories/cve-2026-10094 as authoritative for the fixed service pack and apply it to all SOLIDWORKS Desktop 2024, 2025, and 2026 installations that include the Visualize component. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all systems running SOLIDWORKS Desktop 2024, 2025, or 2026, with priority on internet-facing deployments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10094 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy