A group of network penetration testing specialists has reported the finding of a critical flaw in 2D and 3D design software Autodesk. According to the report, successful exploitation of this flaw would allow threat actors to execute remote code on the affected systems. Some cases of active exploitation have already been reported.
Below is a brief description of the reported flaw, it is worth mentioning that this vulnerability does not yet have an identification key according to the Common Vulnerability Scoring System (CVSS).
Network penetration testing experts mention that this flaw exists due to insufficient validation of user inputs when processing .max files, which would allow remote threat actors to trick the victim into opening a specially crafted file and getting remote code executed on the target system.
It is necessary to remember that some cases of active exploitation of the flaw have already been recorded. In the attacks, malicious hackers have been employing the malware variant known as PhysXPluginMfx.
The versions of Autodesk 3ds Max affected by this flaw are: 2015, 2016, 2017, 2018, 2019 and 2020. The flaw received a score of 8.8/10 on the CVSS scale.
These flaws can be exploited remotely by unauthenticated threat actors. As the network penetration testing experts mentioned above, there have already been some cases of active exploitation, so it is recommended that affected deployment administrators stay on top of the release of security patches to address this issue.