Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-49573

CVE-2025-49573: Adobe Substance 3D Modeler RCE Vulnerability

CVE-2025-49573 is an out-of-bounds write vulnerability in Adobe Substance 3D Modeler that enables remote code execution. Attackers exploit this flaw through malicious files to execute arbitrary code in user context.

Published:

CVE-2025-49573 Overview

CVE-2025-49573 is an out-of-bounds write vulnerability [CWE-787] affecting Adobe Substance 3D Modeler versions 1.22.0 and earlier. Attackers can leverage the flaw to achieve arbitrary code execution in the context of the current user. Exploitation requires user interaction, specifically that a victim opens a malicious file crafted to trigger the memory corruption. Adobe addressed the issue in security bulletin APSB25-76. The vulnerability carries a CVSS 3.1 base score of 7.8 and an EPSS probability of 0.181%, placing it in the 7.756 percentile for likelihood of exploitation.

Critical Impact

Successful exploitation allows arbitrary code execution with the privileges of the user running Substance 3D Modeler, enabling installation of malware, data theft, or lateral movement.

Affected Products

  • Adobe Substance 3D Modeler version 1.22.0
  • Adobe Substance 3D Modeler versions prior to 1.22.0
  • Windows and macOS installations of Substance 3D Modeler

Discovery Timeline

  • 2025-08-12 - CVE-2025-49573 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-49573

Vulnerability Analysis

The vulnerability is an out-of-bounds write condition [CWE-787] within Adobe Substance 3D Modeler's file parsing logic. When the application processes a malformed project or asset file, it writes data beyond the bounds of an allocated memory buffer. This corruption can overwrite adjacent heap metadata, function pointers, or other control structures used by the application. Attackers who control the contents written past the buffer boundary can redirect execution flow to attacker-supplied code.

The issue is locally exploitable and requires user interaction. The attacker must convince a target to open a malicious file, typically through phishing, supply-chain delivery of trojanized 3D assets, or hosting weaponized files on collaboration platforms used by 3D artists.

Root Cause

The root cause is insufficient bounds checking during deserialization of file structures. The parser trusts size or offset fields from the input file without validating that subsequent write operations remain inside the allocated buffer. Detailed technical specifics are not published by Adobe in APSB25-76.

Attack Vector

The attack vector is local and depends on social engineering. An attacker delivers a crafted Substance 3D Modeler project file to the victim. Upon opening the file, the malformed structure triggers the out-of-bounds write, corrupts process memory, and yields code execution in the user's security context. The vulnerability does not require elevated privileges to exploit but inherits the privileges of the logged-in user.

No public proof-of-concept exploit code or in-the-wild exploitation has been reported. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-49573

Indicators of Compromise

  • Unexpected child processes spawned by Adobe Substance 3D Modeler.exe such as cmd.exe, powershell.exe, or scripting hosts
  • Substance 3D Modeler process crashes or access violations correlated with opening untrusted .sbsm or related project files
  • New persistence entries or outbound network connections originating from the Modeler process shortly after a file open event

Detection Strategies

  • Monitor process lineage for Substance 3D Modeler spawning shells, LOLBins, or file-write activity in user-writable directories
  • Inspect Windows Error Reporting and macOS crash logs for repeated faults in the Modeler binary that may indicate exploitation attempts
  • Apply EDR behavioral rules for memory corruption indicators such as heap manipulation followed by code execution from non-image memory regions

Monitoring Recommendations

  • Track inbound delivery of 3D asset files from external email senders, file-sharing links, and unmanaged removable media
  • Inventory endpoints running Substance 3D Modeler and alert when versions 1.22.0 or earlier remain installed after the patch window
  • Correlate file-open telemetry from Modeler with subsequent process, registry, and network events to surface post-exploitation behavior

How to Mitigate CVE-2025-49573

Immediate Actions Required

  • Upgrade Adobe Substance 3D Modeler to the fixed version identified in Adobe Security Bulletin APSB25-76
  • Instruct users not to open Substance 3D Modeler files received from untrusted or unverified sources
  • Apply application allowlisting to prevent Modeler from spawning interpreters or shells

Patch Information

Adobe released a fixed build of Substance 3D Modeler addressing CVE-2025-49573 as part of bulletin APSB25-76. Administrators should deploy the patched version to all workstations running version 1.22.0 or earlier. Refer to the Adobe Security Advisory APSB25-76 for the exact fixed version and download links.

Workarounds

  • Restrict use of Substance 3D Modeler to files originating from trusted internal pipelines until the patch is deployed
  • Run the application under a standard user account without administrative rights to limit post-exploitation impact
  • Use email and web gateway controls to filter or sandbox inbound 3D project files from external sources

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.