CVE-2025-27171
Published: 11 March 2025
Description
An adversary may rely upon a user opening a malicious file in order to gain execution.
Security Summary
CVE-2025-27171 is a heap-based buffer overflow vulnerability (CWE-122, CWE-787) affecting Adobe InDesign Desktop versions ID20.1, ID19.5.2, and earlier. The flaw occurs during file processing and can lead to arbitrary code execution in the context of the current user. It has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H), indicating high impact with low attack complexity but requiring local access and user interaction.
An attacker can exploit this vulnerability by crafting a malicious file that, when opened by a victim in a vulnerable InDesign version, triggers the buffer overflow and executes arbitrary code with the privileges of the logged-in user. No special privileges are needed (PR:N), but the victim must actively open the file (UI:R), making it suitable for targeted attacks via social engineering, such as phishing emails with malicious InDesign documents (.indd files).
Adobe Security Bulletin APSB25-19, available at https://helpx.adobe.com/security/products/indesign/apsb25-19.html, details the vulnerability and recommends mitigation through applying the latest security updates to affected InDesign versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The heap buffer overflow enables arbitrary code execution when a user opens a crafted malicious .indd file, directly mapping to exploitation of client software (T1203) and user execution of a malicious file (T1204.002).