Cyber Resilience

CVE-2025-21135

High

Published: 14 January 2025

Published
14 January 2025
Modified
12 February 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0020 42.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21135 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Adobe Animate. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 42.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-21135 is an Integer Underflow (Wrap or Wraparound) vulnerability, classified under CWE-191, affecting Adobe Animate versions 24.0.6, 23.0.9, and earlier. This flaw could allow arbitrary code execution in the context of the current user. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact with low attack complexity but requiring local access and user interaction.

Exploitation requires an attacker to trick a victim into opening a malicious file within the affected Adobe Animate software. No privileges are needed (PR:N), and the attack has an unchanged scope (S:U). Successful exploitation grants the attacker high levels of confidentiality, integrity, and availability impact, enabling arbitrary code execution as the logged-in user.

Adobe has published security bulletin APSB25-05 at https://helpx.adobe.com/security/products/animate/apsb25-05.html, which provides details on the vulnerability and available patches for mitigation. Security practitioners should ensure affected systems are updated to patched versions and advise users to avoid opening untrusted files in Adobe Animate.

EU & UK References

Vulnerability details

Animate versions 24.0.6, 23.0.9 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a…

more

victim must open a malicious file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Integer underflow in client app enables arbitrary code exec via malicious file opened by user (T1204.002); directly maps to client-side exploitation technique (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21158Same product: Apple Macos
CVE-2025-21156Same product: Apple Macos
CVE-2025-21160Same product: Apple Macos
CVE-2025-21122Same product: Apple Macos
CVE-2026-27287Same product: Apple Macos
CVE-2026-21283Same product: Apple Macos
CVE-2026-21277Same product: Apple Macos
CVE-2025-21132Same product: Apple Macos
CVE-2025-27168Same product: Apple Macos
CVE-2026-34638Same product: Apple Macos

Affected Assets

adobe
animate
23.0.0 — 23.0.10 · 24.0.0 — 24.0.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the integer underflow vulnerability by requiring timely identification, reporting, and application of vendor patches for affected Adobe Animate versions.

prevent

Implements memory protections such as DEP and ASLR that mitigate arbitrary code execution resulting from the integer underflow when processing malicious files.

preventdetect

Deploys malicious code protection mechanisms to scan and block malicious files crafted to exploit the vulnerability before they are opened in Adobe Animate.

References