Login Sign Up

CVE-2023-25901

7.8 HIGH
Remote Code Execution

📋 TL;DR

Adobe Dimension versions 3.4.7 and earlier contain an improper input validation vulnerability that could allow arbitrary code execution when a user opens a malicious file. This affects users of Adobe Dimension who open untrusted project files. The vulnerability requires user interaction to trigger.

💻 Affected Systems

Products:
  • Adobe Dimension
Versions: 3.4.7 and earlier
Operating Systems: Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Dimension by Adobe

View all CVEs affecting Dimension →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the user's system in the context of the current user, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation or malware execution when users open malicious Dimension project files from untrusted sources, potentially leading to credential theft or data exfiltration.

🟢

If Mitigated

No impact if users only open trusted files from verified sources and the software is properly patched.

🌐 Internet-Facing: LOW
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (opening malicious file). No public exploit code available at time of advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.8 or later

Vendor Advisory: https://helpx.adobe.com/security/products/dimension/apsb23-20.html

Restart Required: Yes

Instructions:

1. Open Adobe Creative Cloud application. 2. Navigate to 'Apps' tab. 3. Find Adobe Dimension and click 'Update' if available. 4. Alternatively, download latest version from Adobe website. 5. Restart computer after installation.

🔧 Temporary Workarounds

Restrict file opening

all

Only open Adobe Dimension files from trusted sources. Implement file type restrictions.

Application control

all

Use application whitelisting to prevent execution of unauthorized code.

🧯 If You Can't Patch

  • Discontinue use of Adobe Dimension until patched. Use alternative software for 3D design work.
  • Implement strict user training about opening only verified files from trusted sources.

🔍 How to Verify

Check if Vulnerable:

Check Adobe Dimension version in Help > About Adobe Dimension. If version is 3.4.7 or earlier, system is vulnerable.

Check Version:

Not applicable - check via application GUI

Verify Fix Applied:

Verify Adobe Dimension version is 3.4.8 or later in Help > About Adobe Dimension.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected Adobe Dimension crashes
  • Suspicious child processes spawned from Adobe Dimension
  • Unusual file access patterns from Adobe Dimension process

Network Indicators:

  • Unexpected outbound connections from Adobe Dimension process
  • DNS requests to suspicious domains after file opening

SIEM Query:

process_name:"Adobe Dimension.exe" AND (event_type:"process_creation" OR event_type:"crash")

📊 Metadata

CVE ID: CVE-2023-25901
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: March 28, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25901, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)