CVE-2025-24441
Published: 11 March 2025
Summary
CVE-2025-24441 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Substance 3D Sampler. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely remediation of identified flaws like CVE-2025-24441 through patching vulnerable Substance3D Sampler versions as recommended in Adobe APSB25-16.
Implements memory protections such as ASLR and DEP that mitigate exploitation of out-of-bounds write vulnerabilities during malicious file processing.
Requires vulnerability scanning to identify and prioritize systems running affected Substance3D Sampler versions for remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The out-of-bounds write vulnerability enables arbitrary code execution when a user opens a specially crafted malicious file in the vulnerable application, directly mapping to T1204.002: Malicious File under User Execution.
NVD Description
Substance3D - Sampler versions 4.5.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must…
more
open a malicious file.
Deeper analysisAI
CVE-2025-24441 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe Substance3D Sampler versions 4.5.2 and earlier. This flaw occurs during the processing of malicious files, potentially leading to arbitrary code execution in the context of the current user. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on March 11, 2025.
Exploitation requires local access and user interaction, as a victim must open a specially crafted malicious file. An attacker with no privileges can leverage this to achieve full compromise of the affected system, gaining high-impact confidentiality, integrity, and availability effects through code execution under the user's privileges. Common vectors include social engineering tactics like phishing emails or shared files that entice users to load the malicious content in Substance3D Sampler.
Adobe Security Bulletin APSB25-16, available at https://helpx.adobe.com/security/products/substance3d-sampler/apsb25-16.html, details mitigation steps, including recommendations to update to a patched version of Substance3D Sampler.
Details
- CWE(s)