CVE-2009-3578

Autodesk Maya 6.5-2010 and Alias Wavefront Maya 6.5-7.0 - Remote Code Execution via MEL Script Nodes

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-3578. PoCs published by Core Security.

AI-analyzed exploit summary This advisory describes a vulnerability in Autodesk Maya where script nodes embedded in scene files can execute arbitrary commands upon opening. The proof of concept involves embedding Python code to launch calc.exe.

Description

Autodesk Maya 8.0, 8.5, 2008, 2009, and 2010 and Alias Wavefront Maya 6.5 and 7.0 allow remote attackers to execute arbitrary code via a (1) .ma or (2) .mb file that uses the Maya Embedded Language (MEL) python command or unspecified other MEL commands, related to "Script Nodes."

Exploits (1)

exploitdb WRITEUP VERIFIED
by Core Security · textlocalwindows
https://www.exploit-db.com/exploits/10213

This advisory describes a vulnerability in Autodesk Maya where script nodes embedded in scene files can execute arbitrary commands upon opening. The proof of concept involves embedding Python code to launch calc.exe.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Autodesk Maya 2010, 2009, 2008, 8.5, 8.0, 7.0, 6.5
No auth needed
Prerequisites: User interaction to open a malicious scene file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1023228
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36636
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/508013/100/0/threaded

Scores

EPSS 0.0442
EPSS Percentile 90.1%

Details

CWE
CWE-94
Status published
Products (4)
autodesk/alias_wavefront_maya 6.5
autodesk/alias_wavefront_maya 7.0
autodesk/autodesk_maya 8.0 2008 (3 CPE variants)
autodesk/autodesk_maya 8.5 2008 (3 CPE variants)
Published Nov 24, 2009
Tracked Since Feb 18, 2026