CVE-2025-21128

High

Published: 14 January 2025

Published

14 January 2025

Modified

17 January 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0018 38.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Substance3D - Stager versions 3.0.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Summary

CVE-2025-21128 is a stack-based buffer overflow vulnerability (CWE-121, CWE-787) affecting Adobe Substance3D Stager versions 3.0.4 and earlier. The flaw occurs when processing malicious files, potentially leading to arbitrary code execution in the context of the current user.

Exploitation requires local access (AV:L) with low complexity (AC:L) and no privileges (PR:N), but user interaction (UI:R) is necessary, as a victim must open a specially crafted malicious file. Successful exploitation grants the attacker high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) without scope change (S:U), resulting in a CVSS v3.1 base score of 7.8.

Adobe Security Bulletin APSB25-03 provides details on the vulnerability and mitigation, available at https://helpx.adobe.com/security/products/substance3d_stager/apsb25-03.html.

Details

CWE(s): CWE-121CWE-787

Affected Products

adobe

substance 3d stager

≤ 3.1.0

References

https://helpx.adobe.com/security/products/substance3d_stager/apsb25-03.html
Vendor Advisory · psirt@adobe.com