Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64531

CVE-2025-64531: Adobe Substance 3D Stager UAF Vulnerability

CVE-2025-64531 is a use-after-free vulnerability in Adobe Substance 3D Stager that enables arbitrary code execution when users open malicious files. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-64531 Overview

CVE-2025-64531 is a Use After Free vulnerability [CWE-416] affecting Adobe Substance 3D Stager versions 3.1.5 and earlier. Successful exploitation allows arbitrary code execution in the context of the current user. The flaw requires local user interaction, specifically opening a malicious file crafted by an attacker. Adobe published the issue on November 11, 2025, and addressed it in security advisory APSB25-113. The vulnerability affects installations on both Microsoft Windows and Apple macOS platforms.

Critical Impact

Attackers can execute arbitrary code with the privileges of the logged-in user by tricking a victim into opening a malicious Substance 3D Stager project file.

Affected Products

  • Adobe Substance 3D Stager versions 3.1.5 and earlier
  • Apple macOS installations of Substance 3D Stager
  • Microsoft Windows installations of Substance 3D Stager

Discovery Timeline

  • 2025-11-11 - CVE-2025-64531 published to NVD
  • 2025-11-12 - Last updated in NVD database
  • 2025-11-11 - Adobe released security advisory APSB25-113

Technical Details for CVE-2025-64531

Vulnerability Analysis

The vulnerability is a Use After Free condition [CWE-416] in Adobe Substance 3D Stager. Use After Free flaws occur when an application continues to reference memory after it has been freed, allowing attackers to manipulate the freed memory region. By controlling the contents of the reclaimed allocation, an attacker can redirect execution flow and run arbitrary code. The attack vector is local and requires user interaction. The victim must open a malicious file in a vulnerable Substance 3D Stager build for exploitation to succeed. Code executes with the privileges of the current user, providing a foothold for further local actions.

Root Cause

The root cause is improper memory management when parsing untrusted file content. The application releases an object but retains a dangling reference that is later dereferenced. Specific technical details are not disclosed in Adobe's advisory APSB25-113.

Attack Vector

An attacker crafts a malicious project or asset file and delivers it through phishing, file-sharing platforms, or compromised supply chains. When the victim opens the file in Substance 3D Stager, the parser triggers the dangling reference and executes attacker-controlled code. No elevated privileges are required to initiate the attack. The resulting code execution runs under the victim's user account, enabling credential theft, persistence, or lateral pivot.

No public proof-of-concept code or exploit is available for CVE-2025-64531. See the Adobe Security Advisory APSB25-113 for vendor details.

Detection Methods for CVE-2025-64531

Indicators of Compromise

  • Unexpected child processes spawned from Adobe Substance 3D Stager.exe or the macOS application bundle, including shells, scripting hosts, or rundll32.exe.
  • Substance 3D Stager process performing outbound network connections to unknown hosts shortly after opening a file.
  • Creation of new executables, scripts, or persistence entries in user-writable paths following project file open events.

Detection Strategies

  • Hunt for anomalous process lineage where Substance 3D Stager is the parent of command interpreters such as cmd.exe, powershell.exe, bash, or osascript.
  • Monitor file system telemetry for suspicious 3D project files (.sbs, .ssa, .sbsar) sourced from email attachments, browser downloads, or removable media.
  • Correlate Substance 3D Stager crash events with subsequent suspicious activity on the same host within a short time window.

Monitoring Recommendations

  • Enable detailed process creation logging (Windows Event ID 4688, Sysmon Event ID 1, macOS Endpoint Security) for creative software hosts.
  • Track installed Adobe Substance 3D Stager versions across the fleet and alert on any host still running 3.1.5 or earlier.
  • Review proxy and DNS logs for outbound connections originating from Substance 3D Stager processes immediately after file open operations.

How to Mitigate CVE-2025-64531

Immediate Actions Required

  • Inventory all Windows and macOS endpoints running Adobe Substance 3D Stager and identify versions 3.1.5 and earlier.
  • Apply the update referenced in Adobe security bulletin APSB25-113 as soon as it is available in your environment.
  • Instruct users not to open Substance 3D Stager project files received from untrusted or unverified sources.

Patch Information

Adobe addressed CVE-2025-64531 in the update documented in Adobe Security Advisory APSB25-113. Upgrade Adobe Substance 3D Stager to the fixed release published by Adobe for both Windows and macOS platforms. Verify the installed version after deployment through the application's About dialog or software inventory tooling.

Workarounds

  • Restrict file associations so untrusted 3D asset files do not automatically launch Substance 3D Stager.
  • Block inbound delivery of Substance 3D project file extensions at email and web gateways for users who do not require them.
  • Apply application allowlisting or attack surface reduction rules to prevent creative applications from spawning command interpreters.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.