CVE-2025-21132

High

Published: 14 January 2025

Published

14 January 2025

Modified

17 January 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0014 34.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Substance3D - Stager versions 3.0.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Summary

CVE-2025-21132 is an out-of-bounds write vulnerability (CWE-787) in Adobe Substance 3D Stager versions 3.0.4 and earlier. The flaw enables arbitrary code execution in the context of the current user upon opening a malicious file, as disclosed on January 14, 2025.

With a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), the vulnerability can be exploited by an attacker who has local access to the target system. Exploitation requires low complexity and no privileges but depends on user interaction, such as convincing the victim to open a specially crafted malicious file. Successful exploitation grants the attacker high-impact control over confidentiality, integrity, and availability, potentially fully compromising the affected user's system.

Adobe's security bulletin APSB25-03, available at https://helpx.adobe.com/security/products/substance3d_stager/apsb25-03.html, provides details on the vulnerability and mitigation steps, including patches for affected versions.

Details

CWE(s): CWE-787

Affected Products

adobe

substance 3d stager

≤ 3.1.0

References

https://helpx.adobe.com/security/products/substance3d_stager/apsb25-03.html
Vendor Advisory · psirt@adobe.com