Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-47123

CVE-2025-47123: Adobe FrameMaker Buffer Overflow Flaw

CVE-2025-47123 is a heap-based buffer overflow vulnerability in Adobe FrameMaker that enables arbitrary code execution. This article covers the technical details, affected versions, exploitation requirements, and mitigation.

Published:

CVE-2025-47123 Overview

CVE-2025-47123 is a heap-based buffer overflow vulnerability [CWE-122] affecting Adobe Framemaker versions 2020.8, 2022.6, and earlier. Successful exploitation allows attackers to execute arbitrary code in the context of the current user. The flaw requires user interaction: a victim must open a malicious file crafted by the attacker. Adobe addressed the issue in security advisory APSB25-66.

Critical Impact

Attackers can achieve arbitrary code execution on the victim's workstation by delivering a malicious Framemaker document, leading to full compromise of the current user's session and accessible data.

Affected Products

  • Adobe Framemaker 2020.8 and earlier 2020.x releases
  • Adobe Framemaker 2022.6 and earlier 2022.x releases
  • Microsoft Windows installations running the affected Framemaker versions

Discovery Timeline

  • 2025-07-08 - CVE-2025-47123 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-47123

Vulnerability Analysis

The vulnerability is a heap-based buffer overflow in Adobe Framemaker's file parsing logic. When Framemaker processes a maliciously crafted document, the application writes data beyond the bounds of a heap-allocated buffer. This memory corruption can overwrite adjacent heap metadata or object pointers, enabling attackers to redirect execution flow.

Exploitation runs in the context of the user opening the file. On Windows workstations, this typically grants the attacker access to user documents, credentials cached by browsers and productivity tools, and network shares mounted by the victim. The EPSS score of 0.214% reflects current public exploitation likelihood, but the technique aligns with established heap exploitation patterns against Framemaker that have been weaponized previously.

Root Cause

The defect originates from improper validation of size or length values during the parsing of structured file content. Framemaker allocates a heap buffer based on values derived from attacker-controlled fields without enforcing strict bounds. Subsequent copy operations exceed the allocation, corrupting heap memory. The classification under CWE-122 confirms the heap-based nature of the overflow.

Attack Vector

The attack vector is local and requires user interaction. An attacker delivers a malicious Framemaker file through email attachments, file shares, instant messaging, or compromised websites. When the victim opens the file in a vulnerable Framemaker version, the parser triggers the overflow. No network access to the host is required, and no prior privileges on the system are needed.

The vulnerability mechanism is described in prose only; no public proof-of-concept code is available. Refer to the Adobe Security Advisory APSB25-66 for vendor technical details.

Detection Methods for CVE-2025-47123

Indicators of Compromise

  • Unexpected child processes spawned by FrameMaker.exe, particularly command interpreters such as cmd.exe, powershell.exe, or wscript.exe
  • Framemaker process crashes followed by suspicious file writes to user-writable directories or startup locations
  • Inbound Framemaker documents (.fm, .book, .mif) from untrusted sources arriving via email or web download
  • Outbound network connections initiated by FrameMaker.exe to unfamiliar external hosts

Detection Strategies

  • Monitor process creation events where the parent image is FrameMaker.exe and correlate with unusual command-line arguments
  • Hunt for heap corruption telltales: Framemaker crashes logged in Windows Event Log with exception codes 0xC0000374 (heap corruption) or 0xC0000005 (access violation)
  • Inspect recent file open activity on endpoints running affected versions and quarantine documents originating from untrusted email or web sources

Monitoring Recommendations

  • Enable Windows Defender Exploit Guard and Attack Surface Reduction rules that block Office and document applications from creating child processes
  • Forward Sysmon events (IDs 1, 7, 11) to a centralized SIEM and build alerts for Framemaker-initiated executable launches
  • Track software inventory to confirm all Framemaker installations are upgraded beyond 2020.8 and 2022.6

How to Mitigate CVE-2025-47123

Immediate Actions Required

  • Apply the security updates published in Adobe Security Advisory APSB25-66 to all Framemaker installations
  • Identify and inventory hosts running Adobe Framemaker 2020.x or 2022.x and prioritize patching for users who routinely open external documents
  • Instruct users to avoid opening Framemaker files received from untrusted or unverified senders until patches are deployed

Patch Information

Adobe released fixed versions addressing CVE-2025-47123 in advisory APSB25-66. Upgrade Adobe Framemaker 2020.x and 2022.x to the patched releases listed by Adobe. Patch deployment removes the underlying parsing flaw and is the only complete remediation.

Workarounds

  • Restrict Framemaker file associations so that .fm, .book, and .mif files do not auto-open from email clients or browsers
  • Run Framemaker under standard user accounts without local administrator rights to limit the blast radius of successful exploitation
  • Use email gateway policies to strip or quarantine Framemaker document attachments from external senders pending patch rollout
bash
# Configuration example: enable ASR rule to block child process creation from Office/document apps on Windows
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
                 -AttackSurfaceReductionRules_Actions Enabled

# Inventory affected Framemaker installations across the fleet
Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*FrameMaker*" } |
  Select-Object Name, Version, InstallDate

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.