CVE-2025-43553 – CVE-2025-43553 is an uncontrolled search path v... (How to Fix)

Q: What is the severity of CVE-2025-43553?

CVE-2025-43553 has a CVSS score of 7.8 (HIGH). CVE-2025-43553 is an uncontrolled search path vulnerability in Substance3D Modeler that allows attackers to execute arbitrary code by tricking users into opening malicious files. The vulnerability affects users running versions 1.21.0 and earlier, enabling attackers to load malicious libraries or executables through path manipulation.

📋 TL;DR

CVE-2025-43553 is an uncontrolled search path vulnerability in Substance3D Modeler that allows attackers to execute arbitrary code by tricking users into opening malicious files. The vulnerability affects users running versions 1.21.0 and earlier, enabling attackers to load malicious libraries or executables through path manipulation.

💻 Affected Systems

Products:

Adobe Substance3D Modeler

Versions: 1.21.0 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. Requires user interaction to open malicious files.

📦 What is this software?

Substance 3d Modeler by Adobe

View all CVEs affecting Substance 3d Modeler →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation or malware execution when users open specially crafted files from untrusted sources.

🟢

If Mitigated

No impact if users only open trusted files and proper application hardening is implemented.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) and knowledge of the application's search path behavior.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.22.0 or later

Vendor Advisory: https://helpx.adobe.com/security/products/substance3d-modeler/apsb25-51.html

Restart Required: Yes

Instructions:

1. Open Substance3D Modeler. 2. Go to Help > Check for Updates. 3. Follow prompts to install version 1.22.0 or later. 4. Restart the application.

🔧 Temporary Workarounds

Restrict file execution from untrusted locations

all

Configure Windows/MacOS to prevent execution of files from temporary directories and untrusted network locations

Use application sandboxing

all

Run Substance3D Modeler in a sandboxed environment to limit potential damage

🧯 If You Can't Patch

Implement strict file opening policies - only open files from trusted sources
Use endpoint protection software to detect and block malicious DLL/executable loading

🔍 How to Verify

Check if Vulnerable:

Check Help > About in Substance3D Modeler. If version is 1.21.0 or earlier, you are vulnerable.

Check Version:

Not applicable - check via application GUI

Verify Fix Applied:

After updating, verify version is 1.22.0 or later in Help > About.

📡 Detection & Monitoring

Log Indicators:

Unexpected DLL/executable loading from unusual paths
Application crashes with suspicious file paths

Network Indicators:

None - this is a local file-based vulnerability

SIEM Query:

Process creation events from Substance3D Modeler loading DLLs from non-standard paths

📊 Metadata

CVE ID: CVE-2025-43553

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

EPSS Score: 0.04% exploit probability (12.8th percentile)

Published: May 13, 2025

Last Updated: May 19, 2025

🔗 References

https://helpx.adobe.com/security/products/substance3d-modeler/apsb25-51.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-43553, you might also want to check these: