CVE-2025-54193 – Substance3D Painter versions 11.0.2 and earlier... (How to Fix)

Q: What is the severity of CVE-2025-54193?

CVE-2025-54193 has a CVSS score of 5.5 (MEDIUM). Substance3D Painter versions 11.0.2 and earlier contain an out-of-bounds read vulnerability that could allow attackers to read sensitive memory contents. This affects users who open malicious project files, potentially exposing confidential data. The vulnerability requires user interaction through opening a malicious file.

📋 TL;DR

Substance3D Painter versions 11.0.2 and earlier contain an out-of-bounds read vulnerability that could allow attackers to read sensitive memory contents. This affects users who open malicious project files, potentially exposing confidential data. The vulnerability requires user interaction through opening a malicious file.

💻 Affected Systems

Products:

Adobe Substance3D Painter

Versions: 11.0.2 and earlier

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable when opening files.

📦 What is this software?

Substance 3d Painter by Adobe

View all CVEs affecting Substance 3d Painter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive memory disclosure including passwords, encryption keys, or other application data could be extracted by an attacker.

🟠

Likely Case

Limited memory disclosure of application state or user data, potentially enabling further attacks or information gathering.

🟢

If Mitigated

No impact if users only open trusted files from verified sources.

🌐 Internet-Facing: LOW - Requires user to download and open malicious files, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Internal users could be tricked into opening malicious files via phishing or shared drives.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires crafting malicious Substance3D Painter project files and social engineering to get users to open them.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.0.3 or later

Vendor Advisory: https://helpx.adobe.com/security/products/substance3d_painter/apsb25-77.html

Restart Required: No

Instructions:

1. Open Substance3D Painter. 2. Go to Help > Check for Updates. 3. Install version 11.0.3 or later. 4. Alternatively, download from Adobe Creative Cloud desktop app.

🔧 Temporary Workarounds

Restrict file opening

all

Only open Substance3D Painter files from trusted sources and verify file integrity before opening.

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of older vulnerable versions
Educate users to never open Substance3D Painter files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check Substance3D Painter version in Help > About Substance Painter. If version is 11.0.2 or earlier, system is vulnerable.

Check Version:

Not applicable - check via application GUI

Verify Fix Applied:

Verify version is 11.0.3 or later in Help > About Substance Painter.

📡 Detection & Monitoring

Log Indicators:

Application crashes when opening files
Unusual memory access patterns in application logs

Network Indicators:

Downloads of Substance3D Painter files from untrusted sources

SIEM Query:

EventID for application crashes with Substance3D Painter process, or file downloads with .spp extension

📊 Metadata

CVE ID: CVE-2025-54193

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-125

EPSS Score: 0.02% exploit probability (5.5th percentile)

Published: August 12, 2025

Last Updated: August 13, 2025

🔗 References

https://helpx.adobe.com/security/products/substance3d_painter/apsb25-77.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54193, you might also want to check these: