CVE-2025-61834 Overview
CVE-2025-61834 is a Use After Free vulnerability [CWE-416] in Adobe Substance 3D Stager versions 3.1.5 and earlier. The flaw allows arbitrary code execution in the context of the current user. Exploitation requires user interaction: a victim must open a malicious file crafted by an attacker. Adobe published the vulnerability on November 11, 2025 and addressed it in security advisory APSB25-113. The issue affects installations on both Microsoft Windows and Apple macOS.
Critical Impact
Successful exploitation allows arbitrary code execution under the privileges of the current user, enabling malware deployment, data theft, or further lateral movement from the compromised workstation.
Affected Products
- Adobe Substance 3D Stager versions 3.1.5 and earlier
- Apple macOS installations of Substance 3D Stager
- Microsoft Windows installations of Substance 3D Stager
Discovery Timeline
- 2025-11-11 - CVE-2025-61834 published to NVD alongside Adobe advisory APSB25-113
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-61834
Vulnerability Analysis
The vulnerability is a Use After Free condition [CWE-416] in Adobe Substance 3D Stager. Use After Free occurs when an application continues to reference memory after that memory has been freed. An attacker who controls the contents of a reallocated heap region can hijack control flow when the dangling pointer is dereferenced.
In the context of Substance 3D Stager, the flaw is triggered by parsing logic that handles a crafted project or asset file. When the application frees an object during file processing but later operates on the stale pointer, the attacker-controlled data placed at the same allocation can be interpreted as a valid object. This typically leads to a corrupted virtual function table or callback pointer, redirecting execution into attacker-supplied shellcode.
The vulnerability has a local attack vector and requires user interaction. The victim must open the malicious file. No elevated privileges are required prior to exploitation. Code executes in the security context of the user running Substance 3D Stager.
Root Cause
The root cause is improper object lifetime management during file parsing. A reference to a heap object persists after the object's memory has been released back to the allocator. Subsequent access to that reference produces undefined behavior that an attacker can shape through controlled heap grooming inside the malicious input file.
Attack Vector
The attack vector is local file processing. An attacker delivers a malicious Substance 3D Stager project or asset file through email, a shared workspace, a download link, or a compromised asset repository. When the target opens the file in a vulnerable version, the parsing code triggers the Use After Free and executes the attacker's payload. No network exposure of the application is required.
No public proof-of-concept exploit is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-61834
Indicators of Compromise
- Unexpected child processes spawned by Adobe Substance 3D Stager.exe on Windows or the Stager binary on macOS, particularly shells, scripting hosts, or rundll32.exe.
- Crashes or abnormal terminations of Substance 3D Stager immediately after opening a project file from an untrusted source.
- Outbound network connections originating from the Stager process to non-Adobe infrastructure.
- Newly written executable files or persistence artifacts in the user profile shortly after Stager file open events.
Detection Strategies
- Hunt for process lineage anomalies where Substance 3D Stager spawns command interpreters such as cmd.exe, powershell.exe, bash, or osascript.
- Correlate file open telemetry for .sbs, .ssg, and related Substance project formats with subsequent process or file write events.
- Behavioral AI-based endpoint protection, such as the static and behavioral models in SentinelOne Singularity Endpoint, can identify post-exploitation activity including shellcode execution, code injection, and ransomware patterns even when the initial Use After Free has no signature.
Monitoring Recommendations
- Inventory all hosts running Adobe Substance 3D Stager and flag versions at or below 3.1.5 for prioritized patching.
- Monitor email gateways and collaboration platforms for inbound Substance 3D project files from external senders.
- Forward endpoint process, file, and network telemetry to a centralized analytics platform such as Singularity Data Lake to support cross-host hunting and retrospective analysis.
How to Mitigate CVE-2025-61834
Immediate Actions Required
- Update Adobe Substance 3D Stager to the fixed version published in Adobe Security Bulletin APSB25-113.
- Block delivery of Substance 3D project and asset files from untrusted external senders at email and web gateways until patches are deployed.
- Instruct designers and 3D artists to open only files received from verified internal sources.
Patch Information
Adobe released a fixed build of Substance 3D Stager on November 11, 2025. Refer to the Adobe Security Advisory APSB25-113 for the exact patched version and download instructions for Windows and macOS.
Workarounds
- If patching is not immediately possible, restrict use of Substance 3D Stager to dedicated workstations that do not handle untrusted files.
- Run Substance 3D Stager under a standard user account with no local administrator rights to limit the impact of code execution.
- Apply application allowlisting to prevent Stager from launching unauthorized child processes.
- Maintain endpoint protection capable of detecting post-exploitation behavior associated with heap corruption exploits.
# Windows: enumerate installed Substance 3D Stager versions across endpoints
Get-WmiObject -Class Win32_Product | \
Where-Object { $_.Name -like "*Substance 3D Stager*" } | \
Select-Object Name, Version, InstallDate
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

