CVE-2025-24440
Published: 11 March 2025
Summary
CVE-2025-24440 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Substance 3D Sampler. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the out-of-bounds write vulnerability by requiring timely identification, testing, and deployment of patches for Substance3D Sampler as advised in Adobe bulletin APSB25-16.
Implements memory protections such as DEP and ASLR that prevent arbitrary code execution resulting from the out-of-bounds write during malicious file processing.
Restricts or approves user-installed software like vulnerable versions of Substance3D Sampler, preventing deployment of unpatched instances on systems.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in client app (Substance3D Sampler) enables RCE via specially crafted file opened by user, directly mapping to Exploitation for Client Execution and User Execution of Malicious File.
NVD Description
Substance3D - Sampler versions 4.5.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must…
more
open a malicious file.
Deeper analysisAI
CVE-2025-24440 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe Substance3D Sampler versions 4.5.2 and earlier. This flaw occurs during the processing of malicious files, potentially leading to arbitrary code execution in the context of the current user. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact but with requirements for local access and user interaction.
Exploitation requires an attacker to trick a victim into opening a specially crafted file using the affected software. No privileges are needed (PR:N), and the attack has low complexity (AC:L), making it feasible for adversaries with local access to the target system. Successful exploitation grants the attacker high levels of control over confidentiality, integrity, and availability, executing code with the privileges of the user running Substance3D Sampler.
Adobe Security Bulletin APSB25-16 provides details on mitigation, available at https://helpx.adobe.com/security/products/substance3d-sampler/apsb25-16.html. Security practitioners should advise users to update to a patched version of Substance3D Sampler beyond 4.5.2 to address this issue.
Details
- CWE(s)