CVE-2025-27177
Published: 11 March 2025
Summary
CVE-2025-27177 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Adobe Indesign. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of flaws like the heap-based buffer overflow in vulnerable InDesign versions via patching as recommended in Adobe bulletin APSB25-19.
Implements memory protections such as ASLR and DEP that mitigate exploitation of heap-based buffer overflows by complicating arbitrary code execution even in unpatched software.
Enables vulnerability scanning to identify installations of affected InDesign versions (ID20.1, ID19.5.2 and earlier), facilitating targeted remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow enables arbitrary code execution upon opening a malicious InDesign file, directly mapping to client-side exploitation (T1203) and user execution of malicious file (T1204.002).
NVD Description
InDesign Desktop versions ID20.1, ID19.5.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim…
more
must open a malicious file.
Deeper analysisAI
**CVE-2025-27177** is a Heap-based Buffer Overflow vulnerability (CWE-122, CWE-787) affecting Adobe InDesign Desktop versions ID20.1, ID19.5.2, and earlier. Published on 2025-03-11, it has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and enables arbitrary code execution in the context of the current user upon opening a malicious file.
Exploitation requires local access and user interaction, where an attacker with a specially crafted file can convince a victim to open it in vulnerable InDesign versions. Successful exploitation leads to arbitrary code execution, potentially allowing full compromise of the user's system with high impacts on confidentiality, integrity, and availability.
Adobe Security Bulletin APSB25-19 (https://helpx.adobe.com/security/products/indesign/apsb25-19.html) confirms the vulnerability and states that InDesign Desktop versions ID20.2 and ID19.5.3 resolve it. Mitigation involves applying these patches immediately, as no workarounds are provided; user interaction is required for exploitation.
Details
- CWE(s)