CVE-2025-27181
Published: 11 March 2025
Description
An adversary may rely upon a user opening a malicious file in order to gain execution.
Security Summary
CVE-2025-27181 is a Use After Free vulnerability (CWE-416) affecting Adobe Substance3D Modeler versions 1.15.0 and earlier. Published on 2025-03-11, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and can lead to arbitrary code execution in the context of the current user.
Exploitation requires an attacker to deliver a malicious file to a victim, who must then open it using the affected software. The attacker needs local access to the system but no special privileges, and user interaction is mandatory. Successful exploitation grants the attacker high-impact control over confidentiality, integrity, and availability, enabling arbitrary code execution under the user's privileges.
Adobe Security Bulletin APSB25-21, available at https://helpx.adobe.com/security/products/substance3d-modeler/apsb25-21.html, details mitigations and patches for this vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a client-side UAF in a desktop application triggered by opening a malicious file, directly enabling T1203 (Exploitation for Client Execution) and T1204.002 (Malicious File) for arbitrary code execution.