CVE-2025-27167

CVE-2025-27167 is an Untrusted Search Path vulnerability (CWE-426) affecting Adobe Illustrator versions 29.2.1, 28.7.4, and earlier. The flaw arises when the application relies on a search path to locate critical resources such as programs, allowing an attacker to manipulate that path to redirect to malicious programs or resources. This could enable execution of arbitrary code, unauthorized access to data files, or unintended modification of configurations, as the application trusts these resources without sufficient validation.

The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating local access is required with low attack complexity, no privileges needed, but user interaction is necessary. A local attacker could exploit it by modifying the search path—such as through environment variables or directory placement—to trick Illustrator into loading and executing malicious programs or accessing sensitive data, potentially leading to high-impact confidentiality, integrity, and availability compromises on the affected system.

Adobe's security bulletin APSB25-17, available at https://helpx.adobe.com/security/products/illustrator/apsb25-17.html, provides details on the vulnerability and recommended mitigations, including available patches for affected Illustrator versions. Security practitioners should prioritize updating to patched versions to address this issue.