Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-54260

CVE-2025-54260: Adobe Substance 3D Modeler RCE Vulnerability

CVE-2025-54260 is an out-of-bounds read RCE vulnerability in Adobe Substance 3D Modeler that enables attackers to execute arbitrary code. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-54260 Overview

CVE-2025-54260 is an out-of-bounds read vulnerability in Adobe Substance 3D Modeler version 1.22.2 and earlier. The flaw [CWE-125] occurs when the application parses a crafted file, causing a read past the end of an allocated memory structure. An attacker who convinces a user to open a malicious file can leverage this condition to execute code in the context of the current user. The vulnerability requires local user interaction and does not change scope. Adobe addressed the issue in security bulletin APSB25-92.

Critical Impact

Successful exploitation results in arbitrary code execution in the context of the logged-in user, potentially enabling full compromise of the workstation when run with elevated privileges.

Affected Products

  • Adobe Substance 3D Modeler version 1.22.2
  • Adobe Substance 3D Modeler all prior versions
  • Windows and macOS installations of Substance 3D Modeler

Discovery Timeline

  • 2025-09-09 - CVE-2025-54260 published to NVD
  • 2025-09-12 - Last updated in NVD database

Technical Details for CVE-2025-54260

Vulnerability Analysis

The vulnerability resides in the file parsing logic of Adobe Substance 3D Modeler. When the application processes a malformed or specially crafted project file, it reads data beyond the bounds of an allocated buffer. This out-of-bounds read [CWE-125] can return adjacent memory contents to the parser, corrupt program state, or be chained with other memory primitives to redirect execution flow.

Exploitation produces arbitrary code execution under the privileges of the user running Substance 3D Modeler. Because the attack vector is local and requires the victim to open the malicious file, threat actors typically deliver the payload through phishing, shared project repositories, or compromised asset libraries used by 3D modelers and design teams.

Root Cause

The defect stems from insufficient bounds checking during deserialization of file structures. The parser trusts size or offset fields embedded in the input file without validating them against the actual buffer length. When a value points outside the allocated region, the read operation accesses unintended memory. Adobe has not published low-level technical detail beyond the APSB25-92 advisory.

Attack Vector

An attacker crafts a malicious Substance 3D Modeler project or asset file and delivers it to a victim through email, a shared drive, or a compromised marketplace. When the victim opens the file, the vulnerable parser triggers the out-of-bounds read, and chained memory primitives lead to code execution. No network exposure is required, but user interaction is mandatory. See the Adobe Security Bulletin APSB25-92 for vendor guidance.

Detection Methods for CVE-2025-54260

Indicators of Compromise

  • Unexpected child processes spawned by Adobe Substance 3D Modeler.exe such as cmd.exe, powershell.exe, or scripting hosts
  • Crash artifacts or Windows Error Reporting events referencing the Modeler process after opening third-party project files
  • Suspicious Substance 3D project files (.sbsm, .sbs, related assets) arriving via email or unknown shared repositories
  • Outbound network connections initiated by the Modeler process to untrusted hosts

Detection Strategies

  • Hunt for process lineage where Adobe Substance 3D Modeler.exe is the parent of shell or scripting interpreters
  • Alert on Modeler-initiated file writes to autostart locations, scheduled tasks, or user Startup directories
  • Inspect endpoint telemetry for memory access violations in the Modeler process correlated with recent file open events

Monitoring Recommendations

  • Log and review file open events for Substance 3D Modeler across creative and engineering workstations
  • Forward EDR process and file telemetry to a centralized SIEM or data lake for retroactive hunting once new IOCs are published
  • Track installed Substance 3D Modeler versions through software inventory to identify hosts still running 1.22.2 or earlier

How to Mitigate CVE-2025-54260

Immediate Actions Required

  • Update Adobe Substance 3D Modeler to the fixed version listed in Adobe Security Bulletin APSB25-92
  • Restrict opening of Substance 3D project files received from external or untrusted sources
  • Enforce least-privilege accounts for users running 3D modeling software to limit blast radius of code execution
  • Train design and creative teams to validate the origin of .sbsm and related asset files before opening

Patch Information

Adobe released a security update for Substance 3D Modeler addressing CVE-2025-54260 in bulletin APSB25-92. Administrators should consult the bulletin for the fixed version and deploy through the Adobe Creative Cloud desktop application or enterprise deployment tooling. Vendor advisory: Adobe Security Bulletin APSB25-92.

Workarounds

  • Block delivery of Substance 3D project file extensions at the email gateway when no business need exists
  • Use application allowlisting to restrict which file paths Substance 3D Modeler can load from
  • Isolate workstations that handle externally sourced 3D content from sensitive corporate networks

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.