CVE-2025-24450
Published: 11 March 2025
Description
An adversary may rely upon a user opening a malicious file in order to gain execution.
Security Summary
CVE-2025-24450 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe Substance3D Painter versions 10.1.2 and earlier. This flaw occurs during file processing and can lead to arbitrary code execution in the context of the current user. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts upon successful exploitation.
Exploitation requires local access to the target system and user interaction, specifically convincing a victim to open a malicious file in Substance3D Painter. No special privileges are needed (PR:N), and the attack complexity is low (AC:L). A successful exploit allows arbitrary code execution with the privileges of the current user, potentially enabling full system compromise if the application runs with elevated permissions.
Adobe's security bulletin APSB25-18, available at https://helpx.adobe.com/security/products/substance3d_painter/apsb25-18.html, provides details on the vulnerability and recommends mitigation steps, including updating to a patched version of Substance3D Painter beyond 10.1.2. The advisory was published on 2025-03-11.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in file processing of desktop application enables arbitrary code execution upon opening a malicious file, directly mapping to exploitation for client execution and user execution via malicious file.