Cyber Resilience

CVE-2025-27171

High

Published: 11 March 2025

Published
11 March 2025
Modified
28 April 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0007 22.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27171 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Adobe Indesign. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-27171 is a heap-based buffer overflow vulnerability (CWE-122, CWE-787) affecting Adobe InDesign Desktop versions ID20.1, ID19.5.2, and earlier. The flaw occurs during file processing and can lead to arbitrary code execution in the context of the current user. It has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H), indicating high impact with low attack complexity but requiring local access and user interaction.

An attacker can exploit this vulnerability by crafting a malicious file that, when opened by a victim in a vulnerable InDesign version, triggers the buffer overflow and executes arbitrary code with the privileges of the logged-in user. No special privileges are needed (PR:N), but the victim must actively open the file (UI:R), making it suitable for targeted attacks via social engineering, such as phishing emails with malicious InDesign documents (.indd files).

Adobe Security Bulletin APSB25-19, available at https://helpx.adobe.com/security/products/indesign/apsb25-19.html, details the vulnerability and recommends mitigation through applying the latest security updates to affected InDesign versions.

EU & UK References

Vulnerability details

InDesign Desktop versions ID20.1, ID19.5.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim…

more

must open a malicious file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

The heap buffer overflow enables arbitrary code execution when a user opens a crafted malicious .indd file, directly mapping to exploitation of client software (T1203) and user execution of a malicious file (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21277Same product: Adobe Indesign
CVE-2025-24453Same product: Adobe Indesign
CVE-2025-21123Same product: Adobe Indesign
CVE-2026-21357Same product: Adobe Indesign
CVE-2025-27177Same product: Adobe Indesign
CVE-2025-27166Same product: Adobe Indesign
CVE-2026-27238Same product: Adobe Indesign
CVE-2025-21157Same product: Adobe Indesign
CVE-2025-24452Same product: Adobe Indesign
CVE-2026-21304Same product: Adobe Indesign

Affected Assets

adobe
indesign
≤ 19.5.3 · 20.0 — 20.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the heap-based buffer overflow vulnerability in InDesign through application of Adobe's security patches.

prevent

Implements memory protections such as DEP and ASLR to prevent arbitrary code execution from heap buffer overflows triggered by malicious files.

detect

Enables vulnerability scanning to identify systems running vulnerable InDesign versions affected by this CVE, facilitating remediation.

References