CVE-2025-24453
Published: 11 March 2025
Summary
CVE-2025-24453 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Adobe Indesign. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through application of Adobe's patches for the heap-based buffer overflow in InDesign.
Implements memory safeguards like DEP and ASLR that protect against arbitrary code execution resulting from the heap buffer overflow.
Requires input validation during file processing to address the root cause of the buffer overflow when opening malicious InDesign files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow in Adobe InDesign during malicious file processing enables arbitrary code execution, directly mapping to Exploitation for Client Execution (T1203) and User Execution via Malicious File (T1204.002).
NVD Description
InDesign Desktop versions ID20.1, ID19.5.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim…
more
must open a malicious file.
Deeper analysisAI
CVE-2025-24453 is a heap-based buffer overflow vulnerability (CWE-122, CWE-787) affecting Adobe InDesign Desktop versions ID20.1, ID19.5.2, and earlier. The flaw occurs during file processing and can lead to arbitrary code execution in the context of the current user. It has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H), indicating high severity due to its potential for complete system compromise upon successful exploitation.
Exploitation requires local access and user interaction, specifically tricking a victim into opening a malicious InDesign file. No special privileges are needed (PR:N), and the attack complexity is low (AC:L). A successful exploit allows arbitrary code execution with high impacts on confidentiality, integrity, and availability, all within the user's scope without privilege escalation.
Adobe's security bulletin APSB25-19, available at https://helpx.adobe.com/security/products/indesign/apsb25-19.html, addresses this vulnerability and provides patches for affected versions. Security practitioners should advise users to apply the latest updates to InDesign Desktop immediately to mitigate the risk.
Details
- CWE(s)