Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-54276

CVE-2025-54276: Adobe Substance 3D Modeler RCE Flaw

CVE-2025-54276 is an out-of-bounds read RCE vulnerability in Adobe Substance 3D Modeler versions 1.22.3 and earlier. Attackers can execute code by tricking users into opening malicious files. Learn the technical details.

Published:

CVE-2025-54276 Overview

CVE-2025-54276 is an out-of-bounds read vulnerability affecting Adobe Substance 3D Modeler versions 1.22.3 and earlier. The flaw occurs when the application parses a maliciously crafted file, causing a read past the end of an allocated memory structure. An attacker can leverage this condition to execute code in the context of the current user. Exploitation requires user interaction, specifically that a victim opens a malicious file. The vulnerability is classified under CWE-125 (Out-of-bounds Read).

Critical Impact

Successful exploitation allows arbitrary code execution in the context of the current user, compromising confidentiality, integrity, and availability of the affected system.

Affected Products

  • Adobe Substance 3D Modeler versions 1.22.3 and earlier
  • Windows installations of Adobe Substance 3D Modeler
  • macOS installations of Adobe Substance 3D Modeler

Discovery Timeline

  • 2025-10-14 - CVE-2025-54276 published to NVD
  • 2025-10-17 - Last updated in NVD database
  • 2025-10-14 - Adobe published security advisory APSB25-100

Technical Details for CVE-2025-54276

Vulnerability Analysis

The vulnerability resides in the file parsing logic of Adobe Substance 3D Modeler. When the application processes a crafted input file, it reads memory beyond the bounds of an allocated buffer. This out-of-bounds read can expose adjacent memory contents and, under specific conditions, corrupt program state in ways that lead to arbitrary code execution.

The attack vector is local and requires user interaction. An attacker must convince a victim to open a malicious project, scene, or asset file using a vulnerable version of Substance 3D Modeler. Once opened, the malformed structure triggers the unsafe read during deserialization or geometry parsing.

Code execution occurs in the security context of the user running the application. On workstations where designers run with administrative privileges, this provides a foothold for further compromise of the host.

Root Cause

The root cause is missing or insufficient bounds checking during file parsing. The application trusts size or offset fields embedded in the input file without validating them against the actual allocated buffer length, resulting in a read past the end of the memory structure as described in CWE-125.

Attack Vector

An attacker crafts a malicious Substance 3D Modeler file containing malformed metadata or geometry records. The file is delivered through phishing emails, compromised asset marketplaces, shared project repositories, or supply chain channels common to creative workflows. When the victim opens the file, the parser triggers the out-of-bounds read, and the attacker achieves code execution as the current user.

No verified public proof-of-concept exploit is available at the time of publication. See the Adobe Substance 3D Modeler Advisory APSB25-100 for vendor-supplied technical context.

Detection Methods for CVE-2025-54276

Indicators of Compromise

  • Unexpected child processes spawned by the Substance 3D Modeler executable, such as command shells or scripting interpreters.
  • Substance 3D Modeler files arriving from untrusted email senders, external file shares, or unofficial asset marketplaces.
  • Crashes or abnormal termination of Substance 3D Modeler shortly after opening a third-party file.
  • Outbound network connections initiated by the Modeler process to uncommon or unrecognized hosts.

Detection Strategies

  • Monitor process lineage for the Substance 3D Modeler binary and alert on creation of shells, PowerShell, cmd.exe, or LOLBins.
  • Deploy YARA or content rules on email and file gateways to flag Substance 3D Modeler project files originating outside trusted creative pipelines.
  • Correlate application crash telemetry with subsequent suspicious process or network activity on the same host.

Monitoring Recommendations

  • Enable detailed endpoint process and file telemetry on workstations used by 3D artists, designers, and creative teams.
  • Track installed versions of Adobe Substance 3D Modeler across the fleet and alert on systems still running 1.22.3 or earlier.
  • Review egress traffic from creative workstations for anomalous connections following the opening of newly received asset files.

How to Mitigate CVE-2025-54276

Immediate Actions Required

  • Update Adobe Substance 3D Modeler to the fixed version listed in the Adobe APSB25-100 advisory.
  • Inventory all endpoints running Substance 3D Modeler and prioritize patching for users who handle externally sourced assets.
  • Instruct users to open Substance 3D Modeler files only from verified, trusted sources.
  • Run Substance 3D Modeler under standard user accounts rather than administrator accounts to limit blast radius.

Patch Information

Adobe released a fixed version of Substance 3D Modeler as documented in security bulletin APSB25-100. Administrators should deploy the vendor-supplied update to all affected workstations. There is no indication in the advisory of in-the-wild exploitation, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog.

Workarounds

  • Restrict the opening of Substance 3D Modeler files to known-good internal pipelines until patching is complete.
  • Use application allowlisting to prevent Substance 3D Modeler from launching child processes such as shells or scripting hosts.
  • Apply email and gateway filtering to block or quarantine Substance 3D Modeler project files from external senders.
bash
# Configuration example
# Windows: query installed version of Substance 3D Modeler
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" |
  Where-Object { $_.DisplayName -like "*Substance 3D Modeler*" } |
  Select-Object DisplayName, DisplayVersion

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.