Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-43571

CVE-2025-43571: Adobe Substance 3D Stager Use After Free

CVE-2025-43571 is a use after free vulnerability in Adobe Substance 3D Stager that enables arbitrary code execution. Exploitation requires opening a malicious file. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-43571 Overview

CVE-2025-43571 is a Use After Free vulnerability [CWE-416] affecting Adobe Substance 3D Stager versions 3.1.1 and earlier. The flaw allows arbitrary code execution in the context of the current user when a victim opens a crafted file. Exploitation requires user interaction, limiting remote attack scenarios but aligning with common phishing and social engineering workflows that target creative professionals. Adobe addressed the issue in security bulletin APSB25-46, published alongside the NVD entry on May 13, 2025. The vulnerability impacts both Windows and macOS installations of Substance 3D Stager.

Critical Impact

Successful exploitation allows arbitrary code execution under the privileges of the logged-in user, enabling malware deployment, credential theft, and lateral movement from creative workstations.

Affected Products

  • Adobe Substance 3D Stager versions 3.1.1 and earlier
  • Microsoft Windows installations of Substance 3D Stager
  • Apple macOS installations of Substance 3D Stager

Discovery Timeline

  • 2025-05-13 - CVE-2025-43571 published to the National Vulnerability Database
  • 2025-05-13 - Adobe publishes security advisory APSB25-46
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-43571

Vulnerability Analysis

CVE-2025-43571 is a Use After Free condition in Adobe Substance 3D Stager, a staging and rendering application used in 3D content creation pipelines. Use After Free vulnerabilities occur when an application continues to reference memory after it has been deallocated. An attacker who controls the contents of the freed region, or the dangling pointer's dereference path, can redirect execution flow into attacker-supplied data.

The vulnerability resides in file parsing logic invoked when Substance 3D Stager opens a project, asset, or scene file. Crafted input triggers premature deallocation of an object that the application later dereferences. Attackers typically chain Use After Free flaws with heap grooming and information leak primitives to bypass Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).

Root Cause

The root cause is improper object lifetime management within the file handling code path. The application releases a heap-allocated object while retaining a reference that is dereferenced during subsequent processing. Adobe has not published implementation details beyond the CWE-416 classification in advisory APSB25-46.

Attack Vector

The attack vector is local and requires user interaction. An attacker distributes a malicious Substance 3D Stager file via email attachment, shared asset repository, or compromised supply chain. The victim opens the file in a vulnerable version of Stager, triggering the Use After Free and executing attacker-controlled code with the user's privileges. No authentication or network access to the target system is required.

Technical exploitation details for CVE-2025-43571 are not publicly available. Refer to the Adobe Security Advisory APSB25-46 for vendor guidance.

Detection Methods for CVE-2025-43571

Indicators of Compromise

  • Substance 3D Stager process (Adobe Substance 3D Stager.exe on Windows, Adobe Substance 3D Stager on macOS) spawning unexpected child processes such as cmd.exe, powershell.exe, bash, or osascript.
  • Crashes or abnormal termination of Substance 3D Stager immediately after opening an asset file, recorded in Windows Application event logs or macOS ReportCrash diagnostics.
  • Substance 3D Stager performing outbound network connections to non-Adobe domains shortly after file open events.

Detection Strategies

  • Monitor process lineage for Substance 3D Stager and alert on creation of shells, scripting engines, or LOLBins as child processes.
  • Hunt for unexpected file writes by Substance 3D Stager outside its standard project directories, particularly into user startup or autorun locations.
  • Correlate email gateway and file share telemetry for inbound Substance 3D asset files (.sbs, .sbsar, .stager) from untrusted senders.

Monitoring Recommendations

  • Enable endpoint detection and response (EDR) telemetry on workstations used by 3D artists, designers, and creative teams.
  • Forward application crash events from creative workstations to a central SIEM for trend analysis.
  • Track installed versions of Substance 3D Stager across the fleet to identify systems still running 3.1.1 or earlier.

How to Mitigate CVE-2025-43571

Immediate Actions Required

  • Update Adobe Substance 3D Stager to the version specified in Adobe Security Advisory APSB25-46 on all Windows and macOS endpoints.
  • Inventory creative workstations to identify any installation of Substance 3D Stager 3.1.1 or earlier and prioritize patching.
  • Instruct users to avoid opening Substance 3D asset or project files received from untrusted or unexpected sources until patching is complete.

Patch Information

Adobe has released a fixed version of Substance 3D Stager. Apply the update referenced in security bulletin APSB25-46. Adobe distributes the update through the Creative Cloud desktop application and direct installers. Verify the installed version after patching by checking the application's About dialog.

Workarounds

  • Restrict the ability to open Substance 3D Stager files originating from email attachments or external file shares using application allowlisting policies.
  • Apply the principle of least privilege so creative workstation users do not operate with local administrator rights, limiting post-exploitation impact.
  • Segment creative production networks from sensitive corporate resources to contain compromise of design workstations.
bash
# Verify installed Substance 3D Stager version on Windows (PowerShell)
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" |
  Where-Object { $_.DisplayName -like "*Substance 3D Stager*" } |
  Select-Object DisplayName, DisplayVersion, InstallLocation

# Verify installed Substance 3D Stager version on macOS
mdls -name kMDItemVersion "/Applications/Adobe Substance 3D Stager/Adobe Substance 3D Stager.app"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.