CVE-2025-21131

High

Published: 14 January 2025

Published

14 January 2025

Modified

17 January 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0014 34.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Substance3D - Stager versions 3.0.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Summary

Substance3D - Stager versions 3.0.4 and earlier are affected by CVE-2025-21131, an out-of-bounds write vulnerability (CWE-787) that could result in arbitrary code execution in the context of the current user. Published on 2025-01-14, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact potential despite requiring local access and user interaction.

Exploitation requires a victim to open a malicious file in the affected software, enabling an attacker with local access to trigger the out-of-bounds write. Successful exploitation allows arbitrary code execution with the privileges of the current user, potentially leading to full system compromise if the user has elevated permissions.

The Adobe Product Security Bulletin APSB25-03 at https://helpx.adobe.com/security/products/substance3d_stager/apsb25-03.html details the vulnerability and recommends applying the available security update to mitigate it.

Details

CWE(s): CWE-787

Affected Products

adobe

substance 3d stager

≤ 3.1.0

References

https://helpx.adobe.com/security/products/substance3d_stager/apsb25-03.html
Vendor Advisory · psirt@adobe.com