A critical vulnerability in the Autodesk Fusion MCP extension enables unauthenticated remote attackers to achieve arbitrary code execution on the host machine.

This vulnerability resides in the MCP extension of Autodesk Fusion. It allows an unauthenticated attacker to execute arbitrary code with the privileges of the logged-in user by enticing them to visit a malicious webpage.

With a CVSS score of 9.6, this vulnerability poses a severe risk to organizational security. Successful exploitation could lead to full system compromise, unauthorized data exfiltration, or the deployment of ransomware, resulting in significant operational downtime and potential loss of intellectual property.

Immediate Action: Update Autodesk Fusion to the latest version provided by the vendor immediately to patch the MCP extension.

Proactive Monitoring: Monitor endpoint activity for unauthorized process launches or abnormal network connections originating from the Fusion application.

Compensating Controls: Implement browser-based security controls or network filtering to block access to known malicious domains and minimize the risk of users navigating to untrusted sites.

Public Exploit Available: Unknown

Given the critical nature of this remote code execution flaw, organizations must prioritize patching all instances of Autodesk Fusion. Administrators should ensure that all endpoints are updated to the latest version to prevent potential exploitation.