CVE-2025-54191 – Substance3D Painter versions 11.0.2 and earlier... (How to Fix)

Q: What is the severity of CVE-2025-54191?

CVE-2025-54191 has a CVSS score of 5.5 (MEDIUM). Substance3D Painter versions 11.0.2 and earlier contain an out-of-bounds read vulnerability that could allow attackers to read sensitive memory contents. Users who open malicious files with affected versions are vulnerable to potential information disclosure. This requires user interaction through opening a malicious file.

📋 TL;DR

Substance3D Painter versions 11.0.2 and earlier contain an out-of-bounds read vulnerability that could allow attackers to read sensitive memory contents. Users who open malicious files with affected versions are vulnerable to potential information disclosure. This requires user interaction through opening a malicious file.

💻 Affected Systems

Products:

Adobe Substance3D Painter

Versions: 11.0.2 and earlier

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable by default when opening files.

📦 What is this software?

Substance 3d Painter by Adobe

View all CVEs affecting Substance 3d Painter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive memory contents including passwords, encryption keys, or other application data could be disclosed to an attacker.

🟠

Likely Case

Limited memory disclosure that could aid in further exploitation or reveal application-specific data.

🟢

If Mitigated

No impact if users only open trusted files or have patched versions.

🌐 Internet-Facing: LOW - Requires user to download and open malicious files, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Internal users could be tricked into opening malicious files via phishing or shared drives.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (opening malicious file) and knowledge of file format manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.0.3 or later

Vendor Advisory: https://helpx.adobe.com/security/products/substance3d_painter/apsb25-77.html

Restart Required: No

Instructions:

1. Open Substance3D Painter. 2. Go to Help > Check for Updates. 3. Follow prompts to install version 11.0.3 or later. 4. Alternatively, download latest version from Adobe Creative Cloud.

🔧 Temporary Workarounds

Restrict file opening

all

Only open Substance3D Painter files from trusted sources

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of unauthorized files
Educate users to only open Substance3D Painter files from trusted sources

🔍 How to Verify

Check if Vulnerable:

Check Substance3D Painter version in Help > About Substance3D Painter. If version is 11.0.2 or earlier, system is vulnerable.

Check Version:

Not applicable - check via application GUI

Verify Fix Applied:

Verify version is 11.0.3 or later in Help > About Substance3D Painter.

📡 Detection & Monitoring

Log Indicators:

Application crashes when opening files
Unusual memory access patterns in application logs

Network Indicators:

Downloads of Substance3D Painter files from untrusted sources

SIEM Query:

EventID=4688 AND ProcessName LIKE '%Painter%' AND CommandLine LIKE '%.spp%'

📊 Metadata

CVE ID: CVE-2025-54191

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-125

EPSS Score: 0.02% exploit probability (5.5th percentile)

Published: August 12, 2025

Last Updated: August 13, 2025

🔗 References

https://helpx.adobe.com/security/products/substance3d_painter/apsb25-77.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54191, you might also want to check these: