CVE-2025-27177
Published: 11 March 2025
Description
An adversary may rely upon a user opening a malicious file in order to gain execution.
Security Summary
**CVE-2025-27177** is a Heap-based Buffer Overflow vulnerability (CWE-122, CWE-787) affecting Adobe InDesign Desktop versions ID20.1, ID19.5.2, and earlier. Published on 2025-03-11, it has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and enables arbitrary code execution in the context of the current user upon opening a malicious file.
Exploitation requires local access and user interaction, where an attacker with a specially crafted file can convince a victim to open it in vulnerable InDesign versions. Successful exploitation leads to arbitrary code execution, potentially allowing full compromise of the user's system with high impacts on confidentiality, integrity, and availability.
Adobe Security Bulletin APSB25-19 (https://helpx.adobe.com/security/products/indesign/apsb25-19.html) confirms the vulnerability and states that InDesign Desktop versions ID20.2 and ID19.5.3 resolve it. Mitigation involves applying these patches immediately, as no workarounds are provided; user interaction is required for exploitation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Heap-based buffer overflow enables arbitrary code execution upon opening a malicious InDesign file, directly mapping to client-side exploitation (T1203) and user execution of malicious file (T1204.002).