Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-43549

CVE-2025-43549: Adobe Substance 3D Stager UAF Vulnerability

CVE-2025-43549 is a use-after-free vulnerability in Adobe Substance 3D Stager that enables arbitrary code execution through malicious files. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-43549 Overview

CVE-2025-43549 is a Use After Free vulnerability [CWE-416] affecting Adobe Substance 3D Stager versions 3.1.1 and earlier. Successful exploitation allows arbitrary code execution in the context of the current user. The flaw requires local user interaction: a victim must open a malicious file crafted by an attacker. Adobe addressed the issue in security advisory APSB25-46.

Critical Impact

Attackers can achieve arbitrary code execution with the privileges of the logged-in user by delivering a malicious project file to Substance 3D Stager on Windows or macOS.

Affected Products

  • Adobe Substance 3D Stager versions 3.1.1 and earlier
  • Apple macOS (host platform)
  • Microsoft Windows (host platform)

Discovery Timeline

  • 2025-05-13 - CVE-2025-43549 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-43549

Vulnerability Analysis

The vulnerability is a Use After Free condition in Adobe Substance 3D Stager, a 3D scene composition and rendering tool. Use After Free issues occur when application logic continues to reference a memory region after it has been deallocated. An attacker who controls the freed memory's contents can manipulate program execution flow, ultimately redirecting control to attacker-supplied data.

In this case, exploitation produces arbitrary code execution within the current user's process context. The attack vector is local and requires user interaction, meaning the victim must actively open a malicious file using Substance 3D Stager. Adobe has not disclosed the specific file format parser or object lifecycle responsible for the dangling reference.

Root Cause

The root cause is improper memory lifetime management within Substance 3D Stager's file handling code. An object is freed while at least one pointer to that object remains reachable. Subsequent operations dereference the stale pointer, allowing controlled data placed in the reallocated memory to influence execution. Refer to the Adobe Security Advisory APSB25-46 for vendor-provided details.

Attack Vector

An attacker crafts a malicious Substance 3D Stager project or asset file and delivers it through phishing, file sharing services, or compromised content repositories. When the victim opens the file, the parser triggers the Use After Free condition. The attacker's payload executes with the same privileges as the user running Substance 3D Stager. No network exposure or elevated privileges are required prior to exploitation.

Detection Methods for CVE-2025-43549

Indicators of Compromise

  • Unexpected child processes spawned by Adobe Substance 3D Stager.exe (Windows) or the Stager application bundle (macOS), particularly shells, scripting interpreters, or rundll32.exe.
  • Crash dumps or Windows Error Reporting events referencing Substance 3D Stager modules following the opening of an external file.
  • Substance 3D Stager processes initiating outbound network connections to unrecognized hosts shortly after file open events.

Detection Strategies

  • Monitor endpoint telemetry for process lineage anomalies where Substance 3D Stager spawns command interpreters, LOLBins, or persistence-related binaries.
  • Alert on Substance 3D Stager loading unsigned or unusual DLLs/dylibs from user-writable paths.
  • Correlate inbound email and download events delivering Substance 3D project files (.sbs, .sbsar, .stg) with subsequent file open activity on endpoints running vulnerable versions.

Monitoring Recommendations

  • Inventory installed versions of Adobe Substance 3D Stager across creative and engineering workstations to identify hosts running 3.1.1 or earlier.
  • Log file open operations and module load events for Substance 3D Stager in a centralized analytics platform to support retrospective hunting.
  • Track Adobe Creative Cloud update status to verify timely deployment of the APSB25-46 patch.

How to Mitigate CVE-2025-43549

Immediate Actions Required

  • Update Adobe Substance 3D Stager to the fixed version listed in Adobe advisory APSB25-46 on all Windows and macOS workstations.
  • Restrict the opening of Substance 3D Stager project files received from untrusted or unverified sources until patching is complete.
  • Apply the principle of least privilege so that users running Substance 3D Stager do not hold local administrator rights.

Patch Information

Adobe released a fixed version of Substance 3D Stager that remediates CVE-2025-43549. Patch details and download links are available in the Adobe Security Advisory APSB25-46. Deploy the update through Adobe Creative Cloud Desktop or enterprise software distribution tooling.

Workarounds

  • Block delivery of Substance 3D file formats at the email gateway and web proxy for users who do not require them.
  • Use application allowlisting to prevent Substance 3D Stager from launching unauthorized child processes such as cmd.exe, powershell.exe, or /bin/sh.
  • Educate users on the risk of opening unsolicited 3D project files and require validation through trusted channels before opening.
bash
# Verify installed Substance 3D Stager version on Windows (PowerShell)
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" |
  Where-Object { $_.DisplayName -like "*Substance 3D Stager*" } |
  Select-Object DisplayName, DisplayVersion

# Verify installed Substance 3D Stager version on macOS
mdls -name kMDItemVersion "/Applications/Adobe Substance 3D Stager/Adobe Substance 3D Stager.app"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.