CVE-2025-21169
Published: 11 March 2025
Description
An adversary may rely upon a user opening a malicious file in order to gain execution.
Security Summary
CVE-2025-21169 is a heap-based buffer overflow vulnerability (CWE-122, CWE-787) affecting Adobe Substance3D Designer versions 14.1 and earlier. The flaw could result in arbitrary code execution in the context of the current user. It has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability with low attack complexity but requiring local access and user interaction.
Exploitation requires an attacker to trick a victim into opening a malicious file within the affected software. No privileges are needed beforehand (PR:N), but the attack is local (AV:L) and depends on user interaction (UI:R). Successful exploitation allows arbitrary code execution under the current user's context, potentially leading to full system compromise if the user has elevated privileges.
Adobe Security Bulletin APSB25-22 provides details on the vulnerability and mitigation. Security practitioners should consult https://helpx.adobe.com/security/products/substance3d_designer/apsb25-22.html for patch availability and recommended remediation steps.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The heap-based buffer overflow enables arbitrary code execution in a client application when a user opens a malicious file, directly mapping to Exploitation for Client Execution (T1203) and User Execution via Malicious File (T1204.002).