Cyber Posture

CVE-2025-27166

High

Published: 11 March 2025

Published
11 March 2025
Modified
28 April 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0010 28.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

An adversary may rely upon a user opening a malicious file in order to gain execution.

Security Summary

CVE-2025-27166 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe InDesign Desktop versions 20.1, 19.5.2, and earlier. The flaw resides in the software's handling of files, potentially leading to arbitrary code execution in the context of the current user.

Exploitation requires user interaction, as a victim must open a malicious file. Per the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), an attacker needs local access with low attack complexity and no privileges, but must convince the user to open the file. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability in the user's context.

Adobe's security bulletin APSB25-19, published at https://helpx.adobe.com/security/products/indesign/apsb25-19.html, details patches and mitigation guidance for affected versions.

Details

CWE(s)
CWE-787

Affected Products

adobe
indesign
≤ 19.5.3 · 20.0 — 20.2

MITRE ATT&CK Enterprise Techniques

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

Out-of-bounds write in Adobe InDesign enables arbitrary code execution via opening a malicious file, directly mapping to client-side exploitation (T1203) and user execution through malicious file (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References