CVE-2025-21137

High

Published: 14 January 2025

Published

14 January 2025

Modified

21 January 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0018 38.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Substance3D - Designer versions 14.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Summary

CVE-2025-21137 is a heap-based buffer overflow vulnerability affecting Adobe Substance3D Designer versions 14.0 and earlier. This issue, associated with CWE-122 and CWE-787, could result in arbitrary code execution in the context of the current user.

Exploitation requires user interaction, as a victim must open a malicious file. An attacker with local access and no privileges can craft and deliver such a file, leading to arbitrary code execution upon opening, with high confidentiality, integrity, and availability impacts. The CVSS v3.1 base score is 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity but dependence on local access and user action.

Adobe's security bulletin APSB25-06 at https://helpx.adobe.com/security/products/substance3d_designer/apsb25-06.html provides details on the vulnerability and mitigation recommendations.

Details

CWE(s): CWE-122CWE-787

Affected Products

adobe

substance 3d designer

≤ 14.1

References

https://helpx.adobe.com/security/products/substance3d_designer/apsb25-06.html
Vendor Advisory · psirt@adobe.com