Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-54258

CVE-2025-54258: Adobe Substance 3D Modeler RCE Flaw

CVE-2025-54258 is a use after free RCE vulnerability in Adobe Substance 3D Modeler versions 1.22.2 and earlier. Attackers can execute arbitrary code when users open malicious files. This post covers technical details, impact, and mitigation.

Published:

CVE-2025-54258 Overview

CVE-2025-54258 is a Use After Free vulnerability [CWE-416] in Adobe Substance 3D Modeler versions 1.22.2 and earlier. The flaw allows arbitrary code execution in the context of the current user when a victim opens a malicious file. Exploitation requires user interaction, and the attack vector is local. Adobe published the issue in security bulletin APSB25-92 on September 9, 2025.

Critical Impact

Successful exploitation results in arbitrary code execution under the privileges of the user running Substance 3D Modeler, enabling attackers to install malware, exfiltrate data, or pivot deeper into the environment.

Affected Products

  • Adobe Substance 3D Modeler 1.22.2 and earlier
  • Windows installations of Substance 3D Modeler
  • macOS installations of Substance 3D Modeler

Discovery Timeline

  • 2025-09-09 - CVE-2025-54258 published to NVD
  • 2025-09-09 - Adobe releases Security Advisory APSB25-92
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-54258

Vulnerability Analysis

The vulnerability is a Use After Free condition [CWE-416] triggered when Substance 3D Modeler parses a crafted scene or asset file. The application references memory that has already been released, allowing an attacker to influence the contents of the dangling pointer. Controlled reuse of freed memory enables hijacking program flow and executing arbitrary code.

Exploitation requires the victim to open an attacker-supplied file. Because Substance 3D Modeler runs in user context, code executes with the current user's privileges. The scope is unchanged, so the impact remains within the user's security boundary, but full confidentiality, integrity, and availability loss is possible within that scope.

Root Cause

The root cause is improper lifetime management of an object during file parsing. The application frees a memory region but retains a reference that is later dereferenced. Adobe's advisory does not disclose the specific module or function. See the Adobe Security Advisory APSB25-92 for vendor details.

Attack Vector

An attacker crafts a malicious 3D project or asset file and delivers it through email, file sharing, or a compromised website. When the victim opens the file in a vulnerable version of Substance 3D Modeler, parsing triggers the Use After Free condition. The attacker gains code execution without requiring credentials, but social engineering is necessary to convince the user to open the file.

No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.205%.

Detection Methods for CVE-2025-54258

Indicators of Compromise

  • Unexpected child processes spawned by Adobe Substance 3D Modeler.exe such as cmd.exe, powershell.exe, or rundll32.exe
  • Substance 3D Modeler process crashes or exception events shortly after opening a third-party file
  • Inbound 3D asset files (.sbsar, project files) from untrusted email or download sources
  • Outbound network connections originating from the Substance 3D Modeler process

Detection Strategies

  • Monitor endpoint telemetry for anomalous process trees where Substance 3D Modeler spawns scripting interpreters or shells
  • Apply behavioral analytics to identify memory corruption indicators such as unexpected module loads or thread injection within the modeler process
  • Correlate file-open events with subsequent process crashes to surface exploitation attempts

Monitoring Recommendations

  • Audit installed versions of Substance 3D Modeler across the fleet and flag any instance at or below 1.22.2
  • Track execution of Substance 3D Modeler on hosts where the application is not part of the user's role
  • Log and review files opened by Substance 3D Modeler from network shares or downloads directories

How to Mitigate CVE-2025-54258

Immediate Actions Required

  • Update Adobe Substance 3D Modeler to the fixed version listed in Adobe Security Advisory APSB25-92
  • Inventory all endpoints running Substance 3D Modeler and prioritize patching for hosts handling externally sourced 3D content
  • Instruct users to avoid opening Substance 3D Modeler files received from untrusted senders until patching completes

Patch Information

Adobe released a security update addressing CVE-2025-54258 in bulletin APSB25-92. Administrators should deploy the fixed release through the Adobe Creative Cloud desktop application or managed enterprise deployment tools. Refer to the Adobe Security Advisory APSB25-92 for download links and version details.

Workarounds

  • Restrict opening of 3D project and asset files to those originating from trusted internal sources
  • Apply application allowlisting to block Substance 3D Modeler from spawning shells or scripting interpreters
  • Run Substance 3D Modeler under a standard user account with no administrative privileges to limit blast radius
bash
# Query installed Substance 3D Modeler version on Windows
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
  Where-Object { $_.DisplayName -like 'Adobe Substance 3D Modeler*' } |
  Select-Object DisplayName, DisplayVersion, InstallLocation

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.