CVE-2025-27178
Published: 11 March 2025
Description
An adversary may rely upon a user opening a malicious file in order to gain execution.
Security Summary
CVE-2025-27178 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe InDesign Desktop versions ID20.1, ID19.5.2, and earlier. This flaw could lead to arbitrary code execution in the context of the current user. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
Exploitation requires user interaction, specifically opening a malicious file in the affected InDesign versions. An attacker with local access can craft such a file to trigger the out-of-bounds write, resulting in code execution as the logged-in user without requiring privileges. No elevated permissions are needed, and the attack complexity is low, making it feasible for adversaries targeting InDesign users via socially engineered file delivery, such as email attachments or shared documents.
Adobe Security Bulletin APSB25-19 provides details on mitigation, available at https://helpx.adobe.com/security/products/indesign/apsb25-19.html. Security practitioners should consult this advisory for patch information and apply updates to vulnerable InDesign installations promptly.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The out-of-bounds write enables arbitrary code execution when a user opens a malicious InDesign file, directly mapping to exploitation for client execution and user execution via malicious file.