Skip to main content

CVE-2025-54235: Out-of-bounds Read (CWE-125) in Adobe Substance3D - Modeler

Medium
VulnerabilityCVE-2025-54235cvecve-2025-54235cwe-125
Published: Tue Aug 12 2025 (08/12/2025, 20:36:10 UTC)
Source: CVE Database V5
Vendor/Project: Adobe
Product: Substance3D - Modeler

Description

Substance3D - Modeler versions 1.22.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

AI-Powered Analysis

AILast updated: 08/12/2025, 21:04:33 UTC

Technical Analysis

CVE-2025-54235 is an out-of-bounds read vulnerability (CWE-125) affecting Adobe Substance3D - Modeler versions 1.22.0 and earlier. This vulnerability arises when the software improperly handles memory bounds while processing certain data structures, leading to the potential disclosure of sensitive memory contents. The flaw is triggered when a user opens a specially crafted malicious file, which causes the application to read beyond the allocated buffer limits. This out-of-bounds read does not allow modification of data or denial of service but can leak sensitive information from the application's memory space. The vulnerability requires user interaction, specifically opening a malicious file, and does not require any privileges or prior authentication. The CVSS v3.1 base score is 5.5, indicating a medium severity level, with the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, meaning the attack requires local access, low attack complexity, no privileges, user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. No patches or known exploits in the wild have been reported as of the publication date (August 12, 2025).

Potential Impact

For European organizations, the primary risk posed by this vulnerability is the potential leakage of sensitive information from memory when users open malicious files in Adobe Substance3D - Modeler. This could include proprietary design data, intellectual property, or other confidential information processed by the software. Organizations in sectors such as digital content creation, gaming, advertising, and industrial design that rely on Substance3D - Modeler may face confidentiality breaches. Although the vulnerability does not allow code execution or system compromise, the exposure of sensitive data could lead to competitive disadvantage, regulatory compliance issues (e.g., GDPR concerns if personal data is involved), and reputational damage. The requirement for user interaction limits the attack vector to targeted phishing or social engineering campaigns distributing malicious files. Since the vulnerability is local and requires file opening, the impact is contained to users who have the software installed and open untrusted files, reducing the risk of widespread automated exploitation.

Mitigation Recommendations

European organizations should implement a multi-layered mitigation strategy: 1) Educate users about the risks of opening files from untrusted or unknown sources, emphasizing caution with files related to 3D modeling projects. 2) Restrict the use of Adobe Substance3D - Modeler to trusted environments and limit file sharing channels to verified sources. 3) Monitor and control local access to systems running the software to prevent unauthorized file introduction. 4) Employ application whitelisting and endpoint detection to identify anomalous file openings or suspicious behavior. 5) Since no official patch is available yet, consider isolating or sandboxing the application to limit memory exposure. 6) Maintain up-to-date backups and incident response plans to address potential data leaks. 7) Regularly check Adobe’s security advisories for patches or updates addressing this vulnerability and apply them promptly once released.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
adobe
Date Reserved
2025-07-17T21:15:02.453Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 689ba87bad5a09ad00367c79

Added to database: 8/12/2025, 8:47:55 PM

Last enriched: 8/12/2025, 9:04:33 PM

Last updated: 8/18/2025, 12:34:11 AM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats