CVE-2025-24445
Published: 11 March 2025
Summary
CVE-2025-24445 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Substance 3D Sampler. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-24445 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe Substance3D Sampler versions 4.5.2 and earlier. Published on 2025-03-11, the flaw carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and could result in arbitrary code execution in the context of the current user.
Exploitation requires local access and user interaction, specifically a victim opening a malicious file. An unprivileged attacker can leverage this to trigger the out-of-bounds write, achieving high confidentiality, integrity, and availability impacts through arbitrary code execution with no change in scope.
Adobe Security Bulletin APSB25-16, available at https://helpx.adobe.com/security/products/substance3d-sampler/apsb25-16.html, provides details on the vulnerability and mitigation steps for Substance3D Sampler.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7651
Vulnerability details
Substance3D - Sampler versions 4.5.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must…
more
open a malicious file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a client-side out-of-bounds write in a desktop application that is triggered by opening a malicious file, directly enabling exploitation for client execution (T1203) and user execution via malicious file (T1204.002) to achieve arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the out-of-bounds write vulnerability by requiring timely application of vendor patches as specified in Adobe Security Bulletin APSB25-16.
Implements memory protections such as DEP and ASLR that prevent arbitrary code execution from out-of-bounds write exploits even if the software remains unpatched.
Scans and blocks malicious files exploiting the vulnerability prior to user interaction and opening in Substance3D Sampler.