CVE-2025-27175
Published: 11 March 2025
Description
An adversary may rely upon a user opening a malicious file in order to gain execution.
Security Summary
CVE-2025-27175 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe InDesign Desktop versions ID20.1, ID19.5.2, and earlier. This flaw could lead to arbitrary code execution in the context of the current user when processing malicious files.
The vulnerability has a CVSS v3.1 base score of 7.8 (High), with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating low attack complexity, no required privileges, and user interaction via opening a malicious file. A local attacker could exploit it by tricking a victim into opening a specially crafted file, achieving full control over the affected system with high impacts to confidentiality, integrity, and availability in the user's context.
Adobe's security bulletin APSB25-19, detailed at https://helpx.adobe.com/security/products/indesign/apsb25-19.html, provides information on mitigation, including available patches for affected InDesign versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an out-of-bounds write in Adobe InDesign that enables arbitrary code execution when a user opens a specially crafted malicious file, directly facilitating T1204.002 User Execution: Malicious File.