CVE-2025-21161

High

Published: 11 February 2025

Published

11 February 2025

Modified

03 March 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Substance3D - Designer versions 14.0.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Summary

CVE-2025-21161 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe Substance3D Designer versions 14.0.2 and earlier. Published on 2025-02-11, this flaw could result in arbitrary code execution in the context of the current user when exploited.

The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact with low attack complexity but requiring local access, no privileges, and user interaction. An attacker with a malicious file can exploit it by tricking a victim into opening the file in the affected software, achieving arbitrary code execution with high confidentiality, integrity, and availability impacts in the user's context.

Adobe Security Bulletin APSB25-12 details the vulnerability and mitigation recommendations, including available patches, at https://helpx.adobe.com/security/products/substance3d_designer/apsb25-12.html.

Details

CWE(s): CWE-787

Affected Products

adobe

substance 3d designer

≤ 14.1

References

https://helpx.adobe.com/security/products/substance3d_designer/apsb25-12.html
Vendor Advisory · psirt@adobe.com