CVE-2025-54237 – Substance3D Stager versions 3.1.3 and earlier c... (How to Fix)

Q: What is the severity of CVE-2025-54237?

CVE-2025-54237 has a CVSS score of 5.5 (MEDIUM). Substance3D Stager versions 3.1.3 and earlier contain an out-of-bounds read vulnerability that could allow memory exposure when processing malicious files. Attackers could exploit this to disclose sensitive information from the application's memory. Users who open untrusted files with vulnerable versions are affected.

📋 TL;DR

Substance3D Stager versions 3.1.3 and earlier contain an out-of-bounds read vulnerability that could allow memory exposure when processing malicious files. Attackers could exploit this to disclose sensitive information from the application's memory. Users who open untrusted files with vulnerable versions are affected.

💻 Affected Systems

Products:

Adobe Substance3D Stager

Versions: 3.1.3 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable when processing files.

📦 What is this software?

Substance 3d Stager by Adobe

View all CVEs affecting Substance 3d Stager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could extract sensitive information from application memory, potentially including authentication tokens, file contents, or other confidential data.

🟠

Likely Case

Limited information disclosure from memory when users open specially crafted malicious files.

🟢

If Mitigated

No impact if users only open trusted files or have patched to version 3.1.4 or later.

🌐 Internet-Facing: LOW - Exploitation requires user interaction to open malicious files, not directly network-exploitable.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or malicious files shared internally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (opening malicious file) and successful exploitation depends on memory layout and file content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.4 or later

Vendor Advisory: https://helpx.adobe.com/security/products/substance3d_stager/apsb25-81.html

Restart Required: No

Instructions:

1. Open Substance3D Stager. 2. Go to Help > Check for Updates. 3. Install version 3.1.4 or later. 4. Verify installation by checking version in About dialog.

🔧 Temporary Workarounds

Restrict file opening

all

Only open files from trusted sources and avoid opening unknown or suspicious files.

🧯 If You Can't Patch

Implement application whitelisting to restrict execution of vulnerable versions
Use endpoint protection that can detect and block malicious file types

🔍 How to Verify

Check if Vulnerable:

Check version in Substance3D Stager: Help > About Substance3D Stager. If version is 3.1.3 or earlier, system is vulnerable.

Check Version:

Not applicable - check via application GUI

Verify Fix Applied:

Verify version is 3.1.4 or later in Help > About Substance3D Stager dialog.

📡 Detection & Monitoring

Log Indicators:

Application crashes or unexpected termination when opening files
Unusual memory access patterns in application logs

Network Indicators:

No direct network indicators - exploitation is local file-based

SIEM Query:

EventID for application crashes with Substance3D Stager process name

📊 Metadata

CVE ID: CVE-2025-54237

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-125

EPSS Score: 0.02% exploit probability (3.6th percentile)

Published: September 16, 2025

Last Updated: September 18, 2025

🔗 References

https://helpx.adobe.com/security/products/substance3d_stager/apsb25-81.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54237, you might also want to check these: