CVE-2025-24440
Published: 11 March 2025
Description
An adversary may rely upon a user opening a malicious file in order to gain execution.
Security Summary
CVE-2025-24440 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe Substance3D Sampler versions 4.5.2 and earlier. This flaw occurs during the processing of malicious files, potentially leading to arbitrary code execution in the context of the current user. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact but with requirements for local access and user interaction.
Exploitation requires an attacker to trick a victim into opening a specially crafted file using the affected software. No privileges are needed (PR:N), and the attack has low complexity (AC:L), making it feasible for adversaries with local access to the target system. Successful exploitation grants the attacker high levels of control over confidentiality, integrity, and availability, executing code with the privileges of the user running Substance3D Sampler.
Adobe Security Bulletin APSB25-16 provides details on mitigation, available at https://helpx.adobe.com/security/products/substance3d-sampler/apsb25-16.html. Security practitioners should advise users to update to a patched version of Substance3D Sampler beyond 4.5.2 to address this issue.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Out-of-bounds write in client app (Substance3D Sampler) enables RCE via specially crafted file opened by user, directly mapping to Exploitation for Client Execution and User Execution of Malicious File.