Cyber Resilience

CVE-2025-21129

High

Published: 14 January 2025

Published
14 January 2025
Modified
17 January 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0024 47.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21129 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Adobe Substance 3D Stager. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 47.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-21129 is a heap-based buffer overflow vulnerability (CWE-122, CWE-787) affecting Adobe Substance 3D Stager versions 3.0.4 and earlier. Published on 2025-01-14, the flaw enables arbitrary code execution in the context of the current user upon processing a malicious file.

The attack requires local access (AV:L) with low complexity (AC:L) and no privileges (PR:N), but demands user interaction (UI:R) as the victim must open a specially crafted malicious file in the affected software. Successful exploitation results in high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H) with no change in scope (S:U), yielding a CVSS v3.1 base score of 7.8 and allowing the attacker to execute arbitrary code as the current user.

Adobe's security bulletin APSB25-03 provides details on the vulnerability and mitigation steps, accessible at https://helpx.adobe.com/security/products/substance3d_stager/apsb25-03.html.

EU & UK References

Vulnerability details

Substance3D - Stager versions 3.0.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim…

more

must open a malicious file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Heap buffer overflow in client app enables arbitrary code execution via malicious file opened by user (T1204.002), directly matching Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21132Same product: Adobe Substance 3D Stager
CVE-2025-21130Same product: Adobe Substance 3D Stager
CVE-2025-21131Same product: Adobe Substance 3D Stager
CVE-2026-27273Same product: Adobe Substance 3D Stager
CVE-2026-27275Same product: Adobe Substance 3D Stager
CVE-2026-21342Same product: Adobe Substance 3D Stager
CVE-2026-27279Same product: Adobe Substance 3D Stager
CVE-2026-21283Same product: Apple Macos
CVE-2026-21277Same product: Apple Macos
CVE-2025-24453Same product: Apple Macos

Affected Assets

adobe
substance 3d stager
≤ 3.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the specific heap-based buffer overflow vulnerability through application of Adobe's patch as detailed in APSB25-03.

prevent

Implements memory protections such as ASLR and DEP that mitigate unauthorized code execution from heap buffer overflows.

detect

Enables scanning to identify systems with vulnerable versions of Substance 3D Stager affected by this CVE.

References