CVE-2025-21129

High

Published: 14 January 2025

Published

14 January 2025

Modified

17 January 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0018 38.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Substance3D - Stager versions 3.0.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Summary

CVE-2025-21129 is a heap-based buffer overflow vulnerability (CWE-122, CWE-787) affecting Adobe Substance 3D Stager versions 3.0.4 and earlier. Published on 2025-01-14, the flaw enables arbitrary code execution in the context of the current user upon processing a malicious file.

The attack requires local access (AV:L) with low complexity (AC:L) and no privileges (PR:N), but demands user interaction (UI:R) as the victim must open a specially crafted malicious file in the affected software. Successful exploitation results in high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H) with no change in scope (S:U), yielding a CVSS v3.1 base score of 7.8 and allowing the attacker to execute arbitrary code as the current user.

Adobe's security bulletin APSB25-03 provides details on the vulnerability and mitigation steps, accessible at https://helpx.adobe.com/security/products/substance3d_stager/apsb25-03.html.

Details

CWE(s): CWE-122CWE-787

Affected Products

adobe

substance 3d stager

≤ 3.1.0

References

https://helpx.adobe.com/security/products/substance3d_stager/apsb25-03.html
Vendor Advisory · psirt@adobe.com