CVE-2025-24450
Published: 11 March 2025
Summary
CVE-2025-24450 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Substance 3D Painter. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the out-of-bounds write vulnerability through patching Substance3D Painter to versions beyond 10.1.2 as recommended by Adobe.
Implements memory protections such as DEP and ASLR to prevent arbitrary code execution resulting from the out-of-bounds write during malicious file processing.
Requires validation of file inputs to detect and reject malformed data that could trigger the out-of-bounds write vulnerability in Substance3D Painter.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in file processing of desktop application enables arbitrary code execution upon opening a malicious file, directly mapping to exploitation for client execution and user execution via malicious file.
NVD Description
Substance3D - Painter versions 10.1.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must…
more
open a malicious file.
Deeper analysisAI
CVE-2025-24450 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe Substance3D Painter versions 10.1.2 and earlier. This flaw occurs during file processing and can lead to arbitrary code execution in the context of the current user. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts upon successful exploitation.
Exploitation requires local access to the target system and user interaction, specifically convincing a victim to open a malicious file in Substance3D Painter. No special privileges are needed (PR:N), and the attack complexity is low (AC:L). A successful exploit allows arbitrary code execution with the privileges of the current user, potentially enabling full system compromise if the application runs with elevated permissions.
Adobe's security bulletin APSB25-18, available at https://helpx.adobe.com/security/products/substance3d_painter/apsb25-18.html, provides details on the vulnerability and recommends mitigation steps, including updating to a patched version of Substance3D Painter beyond 10.1.2. The advisory was published on 2025-03-11.
Details
- CWE(s)