Cyber Resilience

CVE-2025-24450

High

Published: 11 March 2025

Published
11 March 2025
Modified
18 April 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0004 12.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24450 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Substance 3D Painter. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 12.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-24450 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe Substance3D Painter versions 10.1.2 and earlier. This flaw occurs during file processing and can lead to arbitrary code execution in the context of the current user. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts upon successful exploitation.

Exploitation requires local access to the target system and user interaction, specifically convincing a victim to open a malicious file in Substance3D Painter. No special privileges are needed (PR:N), and the attack complexity is low (AC:L). A successful exploit allows arbitrary code execution with the privileges of the current user, potentially enabling full system compromise if the application runs with elevated permissions.

Adobe's security bulletin APSB25-18, available at https://helpx.adobe.com/security/products/substance3d_painter/apsb25-18.html, provides details on the vulnerability and recommends mitigation steps, including updating to a patched version of Substance3D Painter beyond 10.1.2. The advisory was published on 2025-03-11.

EU & UK References

Vulnerability details

Substance3D - Painter versions 10.1.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must…

more

open a malicious file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Vulnerability in file processing of desktop application enables arbitrary code execution upon opening a malicious file, directly mapping to exploitation for client execution and user execution via malicious file.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34675Same product: Adobe Substance 3D Painter
CVE-2026-21305Same product: Adobe Substance 3D Painter
CVE-2026-34676Same product: Adobe Substance 3D Painter
CVE-2025-24451Same product: Adobe Substance 3D Painter
CVE-2026-34682Same vendor: Adobe
CVE-2026-34681Same vendor: Adobe
CVE-2026-21352Same vendor: Adobe
CVE-2026-21334Same vendor: Adobe
CVE-2026-34639Same vendor: Adobe
CVE-2025-24440Same vendor: Adobe

Affected Assets

adobe
substance 3d painter
≤ 11.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the out-of-bounds write vulnerability through patching Substance3D Painter to versions beyond 10.1.2 as recommended by Adobe.

prevent

Implements memory protections such as DEP and ASLR to prevent arbitrary code execution resulting from the out-of-bounds write during malicious file processing.

prevent

Requires validation of file inputs to detect and reject malformed data that could trigger the out-of-bounds write vulnerability in Substance3D Painter.

References