CVE-2023-25887 – Adobe Dimension versions 3.4.7 and earlier cont... (How to Fix)

Q: What is the severity of CVE-2023-25887?

CVE-2023-25887 has a CVSS score of 7.8 (HIGH). Adobe Dimension versions 3.4.7 and earlier contain an out-of-bounds read vulnerability when parsing malicious files. This could allow an attacker to execute arbitrary code with the privileges of the current user. Users who open untrusted Dimension files are affected.

📋 TL;DR

Adobe Dimension versions 3.4.7 and earlier contain an out-of-bounds read vulnerability when parsing malicious files. This could allow an attacker to execute arbitrary code with the privileges of the current user. Users who open untrusted Dimension files are affected.

💻 Affected Systems

Products:

Adobe Dimension

Versions: 3.4.7 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable when opening files.

📦 What is this software?

Dimension by Adobe

View all CVEs affecting Dimension →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution with user privileges, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Limited code execution within Adobe Dimension process context, potentially allowing file system access, data exfiltration, or persistence mechanisms.

🟢

If Mitigated

Application crash or denial of service if memory protections prevent successful exploitation.

🌐 Internet-Facing: LOW - Requires user interaction to open malicious file, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user to open malicious file; out-of-bounds read may need additional techniques for reliable code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.8 or later

Vendor Advisory: https://helpx.adobe.com/security/products/dimension/apsb23-20.html

Restart Required: Yes

Instructions:

1. Open Adobe Creative Cloud application
2. Navigate to Apps tab
3. Find Adobe Dimension and click Update
4. Restart computer after update completes

🔧 Temporary Workarounds

Restrict file opening

all

Only open Dimension files from trusted sources; implement application whitelisting

Sandbox execution

all

Run Adobe Dimension in isolated environment or virtual machine

🧯 If You Can't Patch

Implement application control to block execution of Adobe Dimension
Use endpoint protection with memory protection features enabled

🔍 How to Verify

Check if Vulnerable:

Check Adobe Dimension version in Help > About Adobe Dimension

Check Version:

On Windows: Check registry at HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Dimension\3.0\Version

Verify Fix Applied:

Verify version is 3.4.8 or higher in Help > About Adobe Dimension

📡 Detection & Monitoring

Log Indicators:

Application crashes of Adobe Dimension
Unusual file access patterns from Dimension process

Network Indicators:

Outbound connections from Adobe Dimension to unexpected destinations

SIEM Query:

process_name:"Adobe Dimension.exe" AND (event_type:crash OR parent_process:explorer.exe)

📊 Metadata

CVE ID: CVE-2023-25887

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: March 28, 2023

Last Updated: November 21, 2024

🔗 References

https://helpx.adobe.com/security/products/dimension/apsb23-20.html Patch,Vendor Advisory
https://helpx.adobe.com/security/products/dimension/apsb23-20.html Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25887, you might also want to check these: