CVE-2025-21139: 
Adobe Substance 3D Designer vulnerability analysis and mitigation

Adobe Substance 3D Designer versions 14.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability (CVE-2025-21139) that could result in arbitrary code execution in the context of the current user. The vulnerability was disclosed on January 14, 2025, and requires user interaction through opening a malicious file for exploitation (Adobe Advisory, NVD).

The vulnerability is classified as a Heap-based Buffer Overflow (CWE-122) with a CVSS v3.1 base score of 7.8 (HIGH). The CVSS vector string is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access vector, low attack complexity, no privileges required, and user interaction required for exploitation (Adobe Advisory).

Successful exploitation of this vulnerability could lead to arbitrary code execution in the context of the current user, potentially allowing an attacker to execute malicious code with the same privileges as the affected user (Adobe Advisory, NVD).

Adobe has released version 14.1 of Substance 3D Designer to address this vulnerability. Users are recommended to update their installation to the newest version via the Creative Cloud desktop app's update mechanism. For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users (Adobe Advisory).

The vulnerability was discovered and reported by security researcher Jony (jony_juice) through Adobe's public bug bounty program with HackerOne (Adobe Advisory).