CVE-2025-54258 Overview
CVE-2025-54258 is a Use After Free vulnerability [CWE-416] in Adobe Substance 3D Modeler versions 1.22.2 and earlier. The flaw allows arbitrary code execution in the context of the current user when a victim opens a malicious file. Exploitation requires user interaction, and the attack vector is local. Adobe published the issue in security bulletin APSB25-92 on September 9, 2025.
Critical Impact
Successful exploitation results in arbitrary code execution under the privileges of the user running Substance 3D Modeler, enabling attackers to install malware, exfiltrate data, or pivot deeper into the environment.
Affected Products
- Adobe Substance 3D Modeler 1.22.2 and earlier
- Windows installations of Substance 3D Modeler
- macOS installations of Substance 3D Modeler
Discovery Timeline
- 2025-09-09 - CVE-2025-54258 published to NVD
- 2025-09-09 - Adobe releases Security Advisory APSB25-92
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-54258
Vulnerability Analysis
The vulnerability is a Use After Free condition [CWE-416] triggered when Substance 3D Modeler parses a crafted scene or asset file. The application references memory that has already been released, allowing an attacker to influence the contents of the dangling pointer. Controlled reuse of freed memory enables hijacking program flow and executing arbitrary code.
Exploitation requires the victim to open an attacker-supplied file. Because Substance 3D Modeler runs in user context, code executes with the current user's privileges. The scope is unchanged, so the impact remains within the user's security boundary, but full confidentiality, integrity, and availability loss is possible within that scope.
Root Cause
The root cause is improper lifetime management of an object during file parsing. The application frees a memory region but retains a reference that is later dereferenced. Adobe's advisory does not disclose the specific module or function. See the Adobe Security Advisory APSB25-92 for vendor details.
Attack Vector
An attacker crafts a malicious 3D project or asset file and delivers it through email, file sharing, or a compromised website. When the victim opens the file in a vulnerable version of Substance 3D Modeler, parsing triggers the Use After Free condition. The attacker gains code execution without requiring credentials, but social engineering is necessary to convince the user to open the file.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.205%.
Detection Methods for CVE-2025-54258
Indicators of Compromise
- Unexpected child processes spawned by Adobe Substance 3D Modeler.exe such as cmd.exe, powershell.exe, or rundll32.exe
- Substance 3D Modeler process crashes or exception events shortly after opening a third-party file
- Inbound 3D asset files (.sbsar, project files) from untrusted email or download sources
- Outbound network connections originating from the Substance 3D Modeler process
Detection Strategies
- Monitor endpoint telemetry for anomalous process trees where Substance 3D Modeler spawns scripting interpreters or shells
- Apply behavioral analytics to identify memory corruption indicators such as unexpected module loads or thread injection within the modeler process
- Correlate file-open events with subsequent process crashes to surface exploitation attempts
Monitoring Recommendations
- Audit installed versions of Substance 3D Modeler across the fleet and flag any instance at or below 1.22.2
- Track execution of Substance 3D Modeler on hosts where the application is not part of the user's role
- Log and review files opened by Substance 3D Modeler from network shares or downloads directories
How to Mitigate CVE-2025-54258
Immediate Actions Required
- Update Adobe Substance 3D Modeler to the fixed version listed in Adobe Security Advisory APSB25-92
- Inventory all endpoints running Substance 3D Modeler and prioritize patching for hosts handling externally sourced 3D content
- Instruct users to avoid opening Substance 3D Modeler files received from untrusted senders until patching completes
Patch Information
Adobe released a security update addressing CVE-2025-54258 in bulletin APSB25-92. Administrators should deploy the fixed release through the Adobe Creative Cloud desktop application or managed enterprise deployment tools. Refer to the Adobe Security Advisory APSB25-92 for download links and version details.
Workarounds
- Restrict opening of 3D project and asset files to those originating from trusted internal sources
- Apply application allowlisting to block Substance 3D Modeler from spawning shells or scripting interpreters
- Run Substance 3D Modeler under a standard user account with no administrative privileges to limit blast radius
# Query installed Substance 3D Modeler version on Windows
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
Where-Object { $_.DisplayName -like 'Adobe Substance 3D Modeler*' } |
Select-Object DisplayName, DisplayVersion, InstallLocation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

