CVE-2025-24444
Published: 11 March 2025
Summary
CVE-2025-24444 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Substance 3D Sampler. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-24444 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe Substance3D Sampler versions 4.5.2 and earlier. The flaw could result in arbitrary code execution in the context of the current user.
Exploitation requires local access (AV:L) with low attack complexity (AC:L) and no privileges (PR:N), but user interaction (UI:R) is necessary, as a victim must open a malicious file. Successful exploitation enables high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) with no change in scope (S:U), earning a CVSS v3.1 base score of 7.8.
Adobe Security Bulletin APSB25-16 details the issue and mitigation steps, available at https://helpx.adobe.com/security/products/substance3d-sampler/apsb25-16.html.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7650
Vulnerability details
Substance3D - Sampler versions 4.5.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must…
more
open a malicious file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability triggered by opening malicious file leading to arbitrary code execution in current user context, directly mapping to T1204.002.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and remediation of software flaws like the out-of-bounds write vulnerability in Substance3D Sampler to prevent arbitrary code execution.
Implements memory protections such as ASLR and DEP that directly mitigate exploitation of out-of-bounds write vulnerabilities for code execution.
Establishes controls over user-installed software like Substance3D Sampler to prohibit vulnerable versions and enforce updates.