Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-43554

CVE-2025-43554: Adobe Substance 3D Modeler RCE Flaw

CVE-2025-43554 is an out-of-bounds write vulnerability in Adobe Substance 3D Modeler that enables remote code execution. Attackers exploit this through malicious files requiring user interaction. Learn the technical details.

Published:

CVE-2025-43554 Overview

CVE-2025-43554 is an out-of-bounds write vulnerability [CWE-787] in Adobe Substance 3D Modeler versions 1.21.0 and earlier. The flaw allows arbitrary code execution in the context of the current user when a victim opens a malicious file. Adobe disclosed the issue in security bulletin APSB25-51 on May 13, 2025.

Exploitation requires user interaction, which lowers automated exploitation risk but aligns with file-based social engineering tradecraft. The vulnerability carries a CVSS 3.1 base score of 7.8 with a local attack vector.

Critical Impact

Successful exploitation results in arbitrary code execution under the privileges of the user opening the crafted Substance 3D Modeler file.

Affected Products

  • Adobe Substance 3D Modeler 1.21.0 and earlier
  • Windows installations of Substance 3D Modeler
  • macOS installations of Substance 3D Modeler

Discovery Timeline

  • 2025-05-13 - Adobe publishes security bulletin APSB25-51
  • 2025-05-13 - CVE-2025-43554 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-43554

Vulnerability Analysis

The vulnerability is an out-of-bounds write [CWE-787] in Adobe Substance 3D Modeler. The application writes data past the boundaries of an allocated buffer when parsing attacker-controlled file content. Out-of-bounds writes corrupt adjacent memory structures such as object pointers, function tables, or heap metadata.

An attacker who controls the size or offset of the write can pivot from memory corruption to arbitrary code execution. Execution occurs in the security context of the user running Substance 3D Modeler, which typically includes access to local documents, project files, and network shares.

The attack vector is local because the malicious payload must be delivered as a file and opened by the victim. Common delivery channels include phishing emails with project file attachments, compromised asset libraries, and shared 3D model repositories.

Root Cause

The root cause is missing or incorrect bounds validation when Substance 3D Modeler processes a structured input file. The parser trusts size or index fields from the file without verifying them against the destination buffer length. Writing beyond the allocated region corrupts adjacent process memory.

Attack Vector

An attacker crafts a malicious Substance 3D Modeler project or asset file containing manipulated structure fields. The attacker delivers the file through email, a shared drive, or a third-party asset marketplace. When the victim opens the file in Substance 3D Modeler 1.21.0 or earlier, the out-of-bounds write triggers and the embedded payload executes with the user's privileges.

No verified public proof-of-concept exploit is available. The EPSS score is 0.181%, indicating low predicted exploitation activity at this time. Refer to the Adobe Security Bulletin APSB25-51 for vendor technical details.

Detection Methods for CVE-2025-43554

Indicators of Compromise

  • Substance 3D Modeler process (Modeler.exe or Modeler on macOS) spawning command interpreters such as cmd.exe, powershell.exe, or /bin/sh
  • Unexpected child processes or network connections initiated by Substance 3D Modeler shortly after a file open event
  • Crash dumps or Windows Error Reporting events referencing Substance 3D Modeler with access violation codes
  • Unusual file writes by the Modeler process to user profile autorun, startup, or scheduled task locations

Detection Strategies

  • Monitor for Substance 3D Modeler creating child processes that are not part of normal application behavior
  • Alert on Substance 3D Modeler loading unsigned modules or executing scripts from temporary directories
  • Inspect endpoint telemetry for memory access violations originating in Substance 3D Modeler followed by shellcode-like activity
  • Track opens of .sbsmdl or related project files received from external email or downloaded from untrusted sources

Monitoring Recommendations

  • Maintain an inventory of endpoints running Substance 3D Modeler and their installed versions for rapid triage
  • Forward endpoint process, file, and network telemetry to a centralized SIEM for correlation across user sessions
  • Enable application crash and exception logging on workstations used for 3D content creation

How to Mitigate CVE-2025-43554

Immediate Actions Required

  • Upgrade Adobe Substance 3D Modeler to the fixed version listed in Adobe Security Bulletin APSB25-51
  • Identify all systems running Substance 3D Modeler 1.21.0 or earlier and prioritize patching for users handling external assets
  • Instruct users to avoid opening Substance 3D Modeler files received from untrusted sources until patching is complete
  • Validate that the affected user accounts run with standard rather than administrative privileges to limit blast radius

Patch Information

Adobe released a patched version of Substance 3D Modeler addressing CVE-2025-43554. Apply the update referenced in the Adobe Security Bulletin APSB25-51 on every affected workstation.

Workarounds

  • Restrict opening of Substance 3D Modeler project files to those originating from trusted internal repositories
  • Apply email gateway rules to quarantine attachments associated with 3D asset file extensions from external senders
  • Run Substance 3D Modeler as a non-administrative user and isolate content review workflows on dedicated hosts
bash
# Identify installed Substance 3D Modeler version on Windows endpoints
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" |
  Where-Object { $_.DisplayName -like "*Substance 3D Modeler*" } |
  Select-Object DisplayName, DisplayVersion, InstallLocation

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.