CVE-2025-27178
Published: 11 March 2025
Summary
CVE-2025-27178 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Indesign. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 27.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of flaws like the out-of-bounds write vulnerability in InDesign via vendor patches from APSB25-19.
Malicious code protection with real-time file scanning detects and eradicates malicious InDesign files before they are opened and exploited.
Memory protection mechanisms such as ASLR and DEP mitigate arbitrary code execution resulting from the out-of-bounds write vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The out-of-bounds write enables arbitrary code execution when a user opens a malicious InDesign file, directly mapping to exploitation for client execution and user execution via malicious file.
NVD Description
InDesign Desktop versions ID20.1, ID19.5.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must…
more
open a malicious file.
Deeper analysisAI
CVE-2025-27178 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe InDesign Desktop versions ID20.1, ID19.5.2, and earlier. This flaw could lead to arbitrary code execution in the context of the current user. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
Exploitation requires user interaction, specifically opening a malicious file in the affected InDesign versions. An attacker with local access can craft such a file to trigger the out-of-bounds write, resulting in code execution as the logged-in user without requiring privileges. No elevated permissions are needed, and the attack complexity is low, making it feasible for adversaries targeting InDesign users via socially engineered file delivery, such as email attachments or shared documents.
Adobe Security Bulletin APSB25-19 provides details on mitigation, available at https://helpx.adobe.com/security/products/indesign/apsb25-19.html. Security practitioners should consult this advisory for patch information and apply updates to vulnerable InDesign installations promptly.
Details
- CWE(s)