CVE-2023-25891 – Adobe Dimension versions 3.4.7 and earlier cont... (How to Fix)

Q: What is the severity of CVE-2023-25891?

CVE-2023-25891 has a CVSS score of 7.8 (HIGH). Adobe Dimension versions 3.4.7 and earlier contain an out-of-bounds read vulnerability when parsing malicious files. An attacker could exploit this to execute arbitrary code with the privileges of the current user. This affects users who open untrusted files in vulnerable Adobe Dimension installations.

📋 TL;DR

Adobe Dimension versions 3.4.7 and earlier contain an out-of-bounds read vulnerability when parsing malicious files. An attacker could exploit this to execute arbitrary code with the privileges of the current user. This affects users who open untrusted files in vulnerable Adobe Dimension installations.

💻 Affected Systems

Products:

Adobe Dimension

Versions: 3.4.7 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable when parsing files.

📦 What is this software?

Dimension by Adobe

View all CVEs affecting Dimension →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution with user privileges, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Limited impact due to requirement for user interaction (opening malicious file), but could still result in malware installation or data exfiltration.

🟢

If Mitigated

No impact if users avoid opening untrusted files or if software is patched.

🌐 Internet-Facing: LOW - Exploitation requires user interaction with malicious files, not directly network-exposed.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) and bypassing memory protections.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.8 or later

Vendor Advisory: https://helpx.adobe.com/security/products/dimension/apsb23-20.html

Restart Required: Yes

Instructions:

1. Open Adobe Creative Cloud application. 2. Navigate to 'Apps' section. 3. Find Adobe Dimension and click 'Update'. 4. Restart computer after installation completes.

🔧 Temporary Workarounds

Restrict file opening

all

Configure system to prevent opening untrusted .dim files or restrict Adobe Dimension execution.

🧯 If You Can't Patch

Implement application whitelisting to block Adobe Dimension execution.
Educate users to never open untrusted .dim files from unknown sources.

🔍 How to Verify

Check if Vulnerable:

Check Adobe Dimension version in Help > About Adobe Dimension. If version is 3.4.7 or earlier, system is vulnerable.

Check Version:

On Windows: Check registry at HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Dimension\3.0\Version. On macOS: Check /Applications/Adobe Dimension.app/Contents/Info.plist for CFBundleShortVersionString.

Verify Fix Applied:

Verify Adobe Dimension version is 3.4.8 or later in Help > About Adobe Dimension.

📡 Detection & Monitoring

Log Indicators:

Application crashes of Adobe Dimension
Unusual file access patterns from Adobe Dimension process

Network Indicators:

Outbound connections from Adobe Dimension to suspicious domains

SIEM Query:

process_name:"Adobe Dimension" AND (event_type:"process_crash" OR file_path:"*.dim")

📊 Metadata

CVE ID: CVE-2023-25891

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: March 28, 2023

Last Updated: November 21, 2024

🔗 References

https://helpx.adobe.com/security/products/dimension/apsb23-20.html Patch,Vendor Advisory
https://helpx.adobe.com/security/products/dimension/apsb23-20.html Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25891, you might also want to check these: