Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-43568

CVE-2025-43568: Adobe Substance 3D Stager UAF Vulnerability

CVE-2025-43568 is a use after free vulnerability in Adobe Substance 3D Stager that enables arbitrary code execution. Attackers exploit this through malicious files. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-43568 Overview

CVE-2025-43568 is a Use After Free vulnerability [CWE-416] affecting Adobe Substance 3D Stager versions 3.1.1 and earlier. The flaw allows arbitrary code execution in the context of the current user when a victim opens a maliciously crafted file. Adobe published the issue in security bulletin APSB25-46 on May 13, 2025.

Exploitation requires user interaction. An attacker must convince a target to open a weaponized project or asset file in Substance 3D Stager on Windows or macOS. Successful exploitation yields code execution with the privileges of the logged-in user, enabling follow-on activity such as credential theft, persistence, or lateral movement.

Critical Impact

Attackers can achieve arbitrary code execution on Windows and macOS workstations running vulnerable Substance 3D Stager builds when a user opens a crafted file.

Affected Products

  • Adobe Substance 3D Stager versions 3.1.1 and earlier
  • Microsoft Windows installations of Substance 3D Stager
  • Apple macOS installations of Substance 3D Stager

Discovery Timeline

  • 2025-05-13 - Adobe releases security patch via bulletin APSB25-46
  • 2025-05-13 - CVE-2025-43568 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-43568

Vulnerability Analysis

CVE-2025-43568 is a Use After Free condition in Substance 3D Stager's file parsing logic. The application dereferences a pointer to a heap object after that object has been freed, allowing an attacker to control memory that the program continues to treat as valid. When the freed region is reallocated with attacker-controlled data, subsequent operations on the stale pointer transfer execution flow to attacker chosen code.

Adobe categorizes the outcome as arbitrary code execution in the context of the current user. On workstations where designers run with administrative rights, the impact extends to full system compromise. The vulnerability is local in nature and cannot be triggered remotely without user interaction.

The EPSS model rates active exploitation probability as low, and no public proof-of-concept or in-the-wild exploitation has been reported. However, Use After Free bugs in complex 3D file parsers are historically weaponized once patch diffs become available.

Root Cause

The root cause is improper management of object lifetime in Substance 3D Stager's parser. A code path frees an internal object while another reference to the same allocation remains reachable. Later operations dereference the dangling pointer, reading or writing memory that has been reused for unrelated data.

Attack Vector

The attack vector is local and requires user interaction (AV:L/UI:R). An attacker delivers a malicious Substance 3D Stager project, scene, or asset file through email, chat, cloud storage, or a compromised asset marketplace. When the victim opens the file, the parser triggers the freed-object dereference and executes attacker-supplied shellcode.

Refer to the Adobe Security Bulletin APSB25-46 for vendor technical guidance. No verified public exploit code is currently available.

Detection Methods for CVE-2025-43568

Indicators of Compromise

  • Unexpected child processes spawned by Adobe Substance 3D Stager.exe on Windows or the Stager application bundle on macOS, particularly shells, script interpreters, or rundll32.exe.
  • Substance 3D Stager writing executable content to user-writable locations such as %APPDATA%, %TEMP%, or ~/Library/LaunchAgents.
  • Inbound Substance 3D Stager project files (.sbs, .sbsar, .stager, .usd, .fbx) received from untrusted sources immediately preceding suspicious endpoint activity.

Detection Strategies

  • Alert on process lineage anomalies where Substance 3D Stager parents non-Adobe binaries, network utilities, or PowerShell.
  • Monitor for crashes and exception events tied to the Stager process, which frequently precede successful Use After Free exploitation attempts.
  • Inspect email and file-share telemetry for 3D asset files delivered to design and marketing users, correlating with subsequent endpoint events.

Monitoring Recommendations

  • Inventory endpoints running Substance 3D Stager and track installed versions against the patched release.
  • Ingest Adobe Creative Cloud application logs and endpoint EDR telemetry into a central data lake for cross-source correlation.
  • Track outbound connections initiated by or immediately after Substance 3D Stager execution to detect second-stage payload retrieval.

How to Mitigate CVE-2025-43568

Immediate Actions Required

  • Upgrade Substance 3D Stager to the fixed release identified in Adobe Security Bulletin APSB25-46 on all Windows and macOS workstations.
  • Restrict opening of Substance 3D Stager project files received from external or untrusted sources until patching completes.
  • Enforce least privilege on designer and 3D artist accounts so that a successful exploit does not yield administrative access.

Patch Information

Adobe released fixed builds of Substance 3D Stager on May 13, 2025 as part of APSB25-46. Administrators should push updates through Adobe Creative Cloud Desktop or an enterprise deployment tool and verify installed versions exceed 3.1.1.

Workarounds

  • Block delivery of Substance 3D Stager project and asset file extensions at email and web gateways where those file types are not required for business operations.
  • Isolate 3D content creation workstations on a segmented network so that post-exploitation lateral movement is constrained.
  • Disable file associations for Substance 3D Stager on endpoints that have the software installed but do not actively use it, preventing accidental double-click execution.
bash
# Windows: query installed Substance 3D Stager version
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" |
  Where-Object { $_.DisplayName -like "*Substance 3D Stager*" } |
  Select-Object DisplayName, DisplayVersion

# macOS: query installed Substance 3D Stager version
mdls -name kMDItemVersion "/Applications/Adobe Substance 3D Stager/Adobe Substance 3D Stager.app"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.