CVE-2025-21128: 
Adobe Substance 3D Stager vulnerability analysis and mitigation

A Stack-based Buffer Overflow vulnerability (CVE-2025-21128) affects Adobe Substance3D - Stager versions 3.0.4 and earlier. The vulnerability was discovered on January 14, 2025, and could result in arbitrary code execution in the context of the current user. The affected platforms include both Windows and macOS operating systems (Adobe Advisory, NVD).

The vulnerability is classified as a Stack-based Buffer Overflow (CWE-121) with a CVSS v3.1 base score of 7.8 (HIGH). The CVSS vector string is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access vector, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality, integrity, and availability (Adobe Advisory).

Successful exploitation of this vulnerability could lead to arbitrary code execution in the context of the current user. The vulnerability requires user interaction, specifically requiring a victim to open a malicious file (Adobe Advisory).

Adobe has released version 3.1.0 of Substance 3D Stager to address this vulnerability. Users are recommended to update their installation to the newest version via the Creative Cloud desktop app's update mechanism. For managed environments, IT administrators can use the Admin Console to deploy the update to end users (Adobe Advisory).