CVE-2025-24453
Published: 11 March 2025
Description
An adversary may rely upon a user opening a malicious file in order to gain execution.
Security Summary
CVE-2025-24453 is a heap-based buffer overflow vulnerability (CWE-122, CWE-787) affecting Adobe InDesign Desktop versions ID20.1, ID19.5.2, and earlier. The flaw occurs during file processing and can lead to arbitrary code execution in the context of the current user. It has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H), indicating high severity due to its potential for complete system compromise upon successful exploitation.
Exploitation requires local access and user interaction, specifically tricking a victim into opening a malicious InDesign file. No special privileges are needed (PR:N), and the attack complexity is low (AC:L). A successful exploit allows arbitrary code execution with high impacts on confidentiality, integrity, and availability, all within the user's scope without privilege escalation.
Adobe's security bulletin APSB25-19, available at https://helpx.adobe.com/security/products/indesign/apsb25-19.html, addresses this vulnerability and provides patches for affected versions. Security practitioners should advise users to apply the latest updates to InDesign Desktop immediately to mitigate the risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Heap-based buffer overflow in Adobe InDesign during malicious file processing enables arbitrary code execution, directly mapping to Exploitation for Client Execution (T1203) and User Execution via Malicious File (T1204.002).