CVE-2025-21135
Published: 14 January 2025
Summary
CVE-2025-21135 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Adobe Animate. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the integer underflow vulnerability by requiring timely identification, reporting, and application of vendor patches for affected Adobe Animate versions.
Implements memory protections such as DEP and ASLR that mitigate arbitrary code execution resulting from the integer underflow when processing malicious files.
Deploys malicious code protection mechanisms to scan and block malicious files crafted to exploit the vulnerability before they are opened in Adobe Animate.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer underflow in client app enables arbitrary code exec via malicious file opened by user (T1204.002); directly maps to client-side exploitation technique (T1203).
NVD Description
Animate versions 24.0.6, 23.0.9 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a…
more
victim must open a malicious file.
Deeper analysisAI
CVE-2025-21135 is an Integer Underflow (Wrap or Wraparound) vulnerability, classified under CWE-191, affecting Adobe Animate versions 24.0.6, 23.0.9, and earlier. This flaw could allow arbitrary code execution in the context of the current user. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact with low attack complexity but requiring local access and user interaction.
Exploitation requires an attacker to trick a victim into opening a malicious file within the affected Adobe Animate software. No privileges are needed (PR:N), and the attack has an unchanged scope (S:U). Successful exploitation grants the attacker high levels of confidentiality, integrity, and availability impact, enabling arbitrary code execution as the logged-in user.
Adobe has published security bulletin APSB25-05 at https://helpx.adobe.com/security/products/animate/apsb25-05.html, which provides details on the vulnerability and available patches for mitigation. Security practitioners should ensure affected systems are updated to patched versions and advise users to avoid opening untrusted files in Adobe Animate.
Details
- CWE(s)