Login Sign Up

CVE-2025-43551

5.5 MEDIUM

📋 TL;DR

Substance3D Stager versions 3.1.1 and earlier contain an out-of-bounds read vulnerability that could allow attackers to read sensitive memory contents and potentially bypass ASLR protections. Users who open malicious files with affected versions are vulnerable. This primarily affects 3D artists and designers using Adobe's Substance3D Stager software.

💻 Affected Systems

Products:
  • Adobe Substance3D Stager
Versions: 3.1.1 and earlier
Operating Systems: Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of affected versions are vulnerable when processing malicious files.

📦 What is this software?

Substance 3d Stager by Adobe

View all CVEs affecting Substance 3d Stager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory disclosure could reveal sensitive information like credentials, encryption keys, or proprietary data, potentially enabling further attacks including code execution bypassing ASLR.

🟠

Likely Case

Limited information disclosure from memory, potentially revealing some application data but unlikely to lead directly to full system compromise without additional vulnerabilities.

🟢

If Mitigated

With proper controls, impact is limited to potential disclosure of some application memory contents without escalation to code execution.

🌐 Internet-Facing: LOW - Exploitation requires user interaction to open malicious files, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files, but requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) and understanding of memory layout to leverage disclosed information.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.2 or later

Vendor Advisory: https://helpx.adobe.com/security/products/substance3d_stager/apsb25-46.html

Restart Required: Yes

Instructions:

1. Open Substance3D Stager. 2. Go to Help > Check for Updates. 3. Install available updates. 4. Restart the application.

🔧 Temporary Workarounds

Restrict file sources

all

Only open Substance3D Stager files from trusted sources

Application sandboxing

all

Run Substance3D Stager in restricted environment/sandbox

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of unauthorized files
  • Use email/web filtering to block potentially malicious attachments

🔍 How to Verify

Check if Vulnerable:

Check Substance3D Stager version in application (Help > About) - if version is 3.1.1 or earlier, it's vulnerable.

Check Version:

Not applicable - check via application GUI Help > About

Verify Fix Applied:

Verify version is 3.1.2 or later in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when opening files
  • Unusual memory access patterns in application logs

Network Indicators:

  • Downloads of suspicious Substance3D Stager files from untrusted sources

SIEM Query:

EventID for application crashes with Substance3D Stager process

📊 Metadata

CVE ID: CVE-2025-43551
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE: CWE-125
EPSS Score: 0.04% exploit probability (12.5th percentile)
Published: May 13, 2025
Last Updated: May 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-43551, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)