CVE-2025-30322: 
Adobe Substance 3D Painter vulnerability analysis and mitigation

Adobe Substance 3D Painter versions 11.0 and earlier are affected by an out-of-bounds write vulnerability (CVE-2025-30322). The vulnerability was discovered and disclosed on May 13, 2025, requiring user interaction through opening a malicious file for exploitation (NVD, Wiz).

The vulnerability is classified as an out-of-bounds write (CWE-787) with a CVSS v3.1 base score of 7.8 (HIGH). The attack vector is local (AV:L), with low attack complexity (AC:L), requiring no privileges (PR:N) but needs user interaction (UI:R). The scope is unchanged (S:U), with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD, Wiz).

If successfully exploited, this vulnerability could enable an attacker to execute arbitrary code in the context of the logged-on user. The impact severity depends on user privileges - attackers could potentially install programs, view, change, or delete data, or create new accounts with full user rights. Users with fewer system privileges may experience less severe impacts compared to those with administrative rights (Wiz).

Users are advised to update to a version newer than Substance3D - Painter 11.0. Adobe has released a stable channel update that should be applied immediately after appropriate testing. Organizations are recommended to implement the principle of least privilege and restrict user permissions to minimize potential exploitation impact (Wiz).