CVE-2025-49573 Overview
CVE-2025-49573 is an out-of-bounds write vulnerability [CWE-787] affecting Adobe Substance 3D Modeler versions 1.22.0 and earlier. Attackers can leverage the flaw to achieve arbitrary code execution in the context of the current user. Exploitation requires user interaction, specifically that a victim opens a malicious file crafted to trigger the memory corruption. Adobe addressed the issue in security bulletin APSB25-76. The vulnerability carries a CVSS 3.1 base score of 7.8 and an EPSS probability of 0.181%, placing it in the 7.756 percentile for likelihood of exploitation.
Critical Impact
Successful exploitation allows arbitrary code execution with the privileges of the user running Substance 3D Modeler, enabling installation of malware, data theft, or lateral movement.
Affected Products
- Adobe Substance 3D Modeler version 1.22.0
- Adobe Substance 3D Modeler versions prior to 1.22.0
- Windows and macOS installations of Substance 3D Modeler
Discovery Timeline
- 2025-08-12 - CVE-2025-49573 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-49573
Vulnerability Analysis
The vulnerability is an out-of-bounds write condition [CWE-787] within Adobe Substance 3D Modeler's file parsing logic. When the application processes a malformed project or asset file, it writes data beyond the bounds of an allocated memory buffer. This corruption can overwrite adjacent heap metadata, function pointers, or other control structures used by the application. Attackers who control the contents written past the buffer boundary can redirect execution flow to attacker-supplied code.
The issue is locally exploitable and requires user interaction. The attacker must convince a target to open a malicious file, typically through phishing, supply-chain delivery of trojanized 3D assets, or hosting weaponized files on collaboration platforms used by 3D artists.
Root Cause
The root cause is insufficient bounds checking during deserialization of file structures. The parser trusts size or offset fields from the input file without validating that subsequent write operations remain inside the allocated buffer. Detailed technical specifics are not published by Adobe in APSB25-76.
Attack Vector
The attack vector is local and depends on social engineering. An attacker delivers a crafted Substance 3D Modeler project file to the victim. Upon opening the file, the malformed structure triggers the out-of-bounds write, corrupts process memory, and yields code execution in the user's security context. The vulnerability does not require elevated privileges to exploit but inherits the privileges of the logged-in user.
No public proof-of-concept exploit code or in-the-wild exploitation has been reported. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-49573
Indicators of Compromise
- Unexpected child processes spawned by Adobe Substance 3D Modeler.exe such as cmd.exe, powershell.exe, or scripting hosts
- Substance 3D Modeler process crashes or access violations correlated with opening untrusted .sbsm or related project files
- New persistence entries or outbound network connections originating from the Modeler process shortly after a file open event
Detection Strategies
- Monitor process lineage for Substance 3D Modeler spawning shells, LOLBins, or file-write activity in user-writable directories
- Inspect Windows Error Reporting and macOS crash logs for repeated faults in the Modeler binary that may indicate exploitation attempts
- Apply EDR behavioral rules for memory corruption indicators such as heap manipulation followed by code execution from non-image memory regions
Monitoring Recommendations
- Track inbound delivery of 3D asset files from external email senders, file-sharing links, and unmanaged removable media
- Inventory endpoints running Substance 3D Modeler and alert when versions 1.22.0 or earlier remain installed after the patch window
- Correlate file-open telemetry from Modeler with subsequent process, registry, and network events to surface post-exploitation behavior
How to Mitigate CVE-2025-49573
Immediate Actions Required
- Upgrade Adobe Substance 3D Modeler to the fixed version identified in Adobe Security Bulletin APSB25-76
- Instruct users not to open Substance 3D Modeler files received from untrusted or unverified sources
- Apply application allowlisting to prevent Modeler from spawning interpreters or shells
Patch Information
Adobe released a fixed build of Substance 3D Modeler addressing CVE-2025-49573 as part of bulletin APSB25-76. Administrators should deploy the patched version to all workstations running version 1.22.0 or earlier. Refer to the Adobe Security Advisory APSB25-76 for the exact fixed version and download links.
Workarounds
- Restrict use of Substance 3D Modeler to files originating from trusted internal pipelines until the patch is deployed
- Run the application under a standard user account without administrative rights to limit post-exploitation impact
- Use email and web gateway controls to filter or sandbox inbound 3D project files from external sources
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

