CVE-2025-54260 – Substance3D Modeler versions 1.22.2 and earlier... (How to Fix)

Q: What is the severity of CVE-2025-54260?

CVE-2025-54260 has a CVSS score of 7.8 (HIGH). Substance3D Modeler versions 1.22.2 and earlier contain an out-of-bounds read vulnerability when parsing malicious files. This could allow an attacker to execute arbitrary code with the privileges of the current user. Users who open untrusted files with affected versions are at risk.

📋 TL;DR

Substance3D Modeler versions 1.22.2 and earlier contain an out-of-bounds read vulnerability when parsing malicious files. This could allow an attacker to execute arbitrary code with the privileges of the current user. Users who open untrusted files with affected versions are at risk.

💻 Affected Systems

Products:

Adobe Substance3D Modeler

Versions: 1.22.2 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable when opening files.

📦 What is this software?

Substance 3d Modeler by Adobe

View all CVEs affecting Substance 3d Modeler →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through remote code execution, allowing attacker to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Local privilege escalation leading to data theft or system manipulation, requiring user interaction to open malicious file.

🟢

If Mitigated

Denial of service or application crash if memory protections prevent code execution.

🌐 Internet-Facing: LOW - Exploitation requires user interaction to open malicious files, not directly network exploitable.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files, but requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user to open malicious file. No public exploit code known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.22.3 or later

Vendor Advisory: https://helpx.adobe.com/security/products/substance3d-modeler/apsb25-92.html

Restart Required: Yes

Instructions:

1. Open Substance3D Modeler. 2. Go to Help > Check for Updates. 3. Install available updates. 4. Restart the application.

🔧 Temporary Workarounds

Restrict file opening

all

Only open files from trusted sources and disable automatic file opening features.

Application sandboxing

all

Run Substance3D Modeler in a sandboxed environment to limit potential damage.

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of malicious code
Use endpoint detection and response (EDR) tools to monitor for suspicious file parsing behavior

🔍 How to Verify

Check if Vulnerable:

Check Help > About in Substance3D Modeler. If version is 1.22.2 or earlier, you are vulnerable.

Check Version:

Open Substance3D Modeler and navigate to Help > About

Verify Fix Applied:

Verify version is 1.22.3 or later in Help > About.

📡 Detection & Monitoring

Log Indicators:

Application crashes when opening files
Unusual memory access patterns in application logs

Network Indicators:

File downloads from untrusted sources followed by application crashes

SIEM Query:

EventID=1000 OR EventID=1001 AND ProcessName="Substance3D Modeler.exe" AND Keywords="Application Error"

📊 Metadata

CVE ID: CVE-2025-54260

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-125

EPSS Score: 0.02% exploit probability (5th percentile)

Published: September 9, 2025

Last Updated: September 12, 2025

🔗 References

https://helpx.adobe.com/security/products/substance3d-modeler/apsb25-92.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54260, you might also want to check these: