CVE-2025-54197 – CVE-2025-54197 is an out-of-bounds read vulnera... (How to Fix)

Q: What is the severity of CVE-2025-54197?

CVE-2025-54197 has a CVSS score of 5.5 (MEDIUM). CVE-2025-54197 is an out-of-bounds read vulnerability in Substance3D Modeler that could allow an attacker to read sensitive memory contents. This affects users of Substance3D Modeler versions 1.22.0 and earlier who open malicious files. The vulnerability requires user interaction through opening a specially crafted file.

📋 TL;DR

CVE-2025-54197 is an out-of-bounds read vulnerability in Substance3D Modeler that could allow an attacker to read sensitive memory contents. This affects users of Substance3D Modeler versions 1.22.0 and earlier who open malicious files. The vulnerability requires user interaction through opening a specially crafted file.

💻 Affected Systems

Products:

Adobe Substance3D Modeler

Versions: 1.22.0 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable by default when opening files.

📦 What is this software?

Substance 3d Modeler by Adobe

View all CVEs affecting Substance 3d Modeler →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could read sensitive memory contents including passwords, encryption keys, or other application data, potentially leading to further system compromise.

🟠

Likely Case

Information disclosure of application memory contents, which could include user data or system information that might aid in further attacks.

🟢

If Mitigated

Limited impact with proper file handling policies and user awareness training in place.

🌐 Internet-Facing: LOW - Exploitation requires user interaction with malicious files, not direct network access.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user to open a malicious file, making social engineering a key component of exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.23.0 or later

Vendor Advisory: https://helpx.adobe.com/security/products/substance3d-modeler/apsb25-76.html

Restart Required: No

Instructions:

1. Open Substance3D Modeler. 2. Go to Help > Check for Updates. 3. Follow prompts to update to version 1.23.0 or later. 4. Alternatively, download the latest version from Adobe's website.

🔧 Temporary Workarounds

Restrict file sources

all

Only open Substance3D Modeler files from trusted sources and avoid opening files from unknown or untrusted origins.

🧯 If You Can't Patch

Implement application whitelisting to restrict execution of older vulnerable versions
Deploy security awareness training about opening files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check Substance3D Modeler version via Help > About Substance3D Modeler. If version is 1.22.0 or earlier, the system is vulnerable.

Check Version:

Not applicable - check via application GUI Help > About menu

Verify Fix Applied:

Verify version is 1.23.0 or later via Help > About Substance3D Modeler.

📡 Detection & Monitoring

Log Indicators:

Application crashes or unusual memory access patterns in application logs
Files with unusual extensions or names being opened

Network Indicators:

No direct network indicators - exploitation is file-based

SIEM Query:

EventID for application crashes or file access from Substance3D Modeler process

📊 Metadata

CVE ID: CVE-2025-54197

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-125

EPSS Score: 0.02% exploit probability (5.5th percentile)

Published: August 12, 2025

Last Updated: August 13, 2025

🔗 References

https://helpx.adobe.com/security/products/substance3d-modeler/apsb25-76.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54197, you might also want to check these: