cnvd - cnvd-2025-19228

CNVD-2025-19228

Vulnerability from cnvd - Published: 2025-08-22

Title

Adobe Substance3D Modeler代码执行漏洞（CNVD-2025-19228）

Description

Adobe Substance3D Modeler是Adobe Substance 3D系列软件中的核心工具，专为3D建模设计，支持数字黏土雕刻、对称工具、自动化UV管理等功能，可实现跨计算机VR环境无缝切换。 Adobe Substance3D Modeler存在代码执行漏洞，该漏洞源于不受控制的搜索路径元素，攻击者利用该漏洞导致执行任意代码。

Severity

高

Patch Name

Adobe Substance3D Modeler代码执行漏洞（CNVD-2025-19228）的补丁

Patch Description

Formal description

目前厂商已发布升级程序修复该安全问题，详情见厂商官网： https://helpx.adobe.com/security/products/substance3d-modeler/apsb25-76.html

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-49571

Impacted products

Name
Adobe Substance 3D Modeler <=1.22.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-49571",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-49571"
    }
  },
  "description": "Adobe Substance3D Modeler\u662fAdobe Substance 3D\u7cfb\u5217\u8f6f\u4ef6\u4e2d\u7684\u6838\u5fc3\u5de5\u5177\uff0c\u4e13\u4e3a3D\u5efa\u6a21\u8bbe\u8ba1\uff0c\u652f\u6301\u6570\u5b57\u9ecf\u571f\u96d5\u523b\u3001\u5bf9\u79f0\u5de5\u5177\u3001\u81ea\u52a8\u5316UV\u7ba1\u7406\u7b49\u529f\u80fd\uff0c\u53ef\u5b9e\u73b0\u8de8\u8ba1\u7b97\u673aVR\u73af\u5883\u65e0\u7f1d\u5207\u6362\u3002\n\nAdobe Substance3D Modeler\u5b58\u5728\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4e0d\u53d7\u63a7\u5236\u7684\u641c\u7d22\u8def\u5f84\u5143\u7d20\uff0c\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://helpx.adobe.com/security/products/substance3d-modeler/apsb25-76.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-19228",
  "openTime": "2025-08-22",
  "patchDescription": "Adobe Substance3D Modeler\u662fAdobe Substance 3D\u7cfb\u5217\u8f6f\u4ef6\u4e2d\u7684\u6838\u5fc3\u5de5\u5177\uff0c\u4e13\u4e3a3D\u5efa\u6a21\u8bbe\u8ba1\uff0c\u652f\u6301\u6570\u5b57\u9ecf\u571f\u96d5\u523b\u3001\u5bf9\u79f0\u5de5\u5177\u3001\u81ea\u52a8\u5316UV\u7ba1\u7406\u7b49\u529f\u80fd\uff0c\u53ef\u5b9e\u73b0\u8de8\u8ba1\u7b97\u673aVR\u73af\u5883\u65e0\u7f1d\u5207\u6362\u3002\r\n\r\nAdobe Substance3D Modeler\u5b58\u5728\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4e0d\u53d7\u63a7\u5236\u7684\u641c\u7d22\u8def\u5f84\u5143\u7d20\uff0c\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Adobe Substance3D Modeler\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CNVD-2025-19228\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Adobe Substance 3D Modeler \u003c=1.22.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-49571",
  "serverity": "\u9ad8",
  "submitTime": "2025-08-18",
  "title": "Adobe Substance3D Modeler\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CNVD-2025-19228\uff09"
}

CVE-2025-49571 (GCVE-0-2025-49571)

Vulnerability from cvelistv5 – Published: 2025-08-12 20:36 – Updated: 2025-08-13 20:12

Summary

Substance3D - Modeler versions 1.22.0 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. If the application uses an uncontrolled search path to locate critical resources such as programs, an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue does not require user interaction.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-427 - Uncontrolled Search Path Element (CWE-427)

Assigner

adobe

References

URL

Tags

https://helpx.adobe.com/security/products/substan…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Adobe	Substance3D - Modeler	Affected: 0 , ≤ 1.22.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49571",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-13T15:04:48.261283Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-13T20:12:59.292Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Substance3D - Modeler",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "1.22.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-08-12T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Substance3D - Modeler versions 1.22.0 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. If the application uses an uncontrolled search path to locate critical resources such as programs, an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue does not require user interaction."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 7.8,
            "environmentalSeverity": "HIGH",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "HIGH",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "LOCAL",
            "modifiedAvailabilityImpact": "HIGH",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "HIGH",
            "modifiedPrivilegesRequired": "NONE",
            "modifiedScope": "UNCHANGED",
            "modifiedUserInteraction": "REQUIRED",
            "privilegesRequired": "NONE",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "Uncontrolled Search Path Element (CWE-427)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-12T20:36:07.533Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/substance3d-modeler/apsb25-76.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Substance3D - Modeler | Uncontrolled Search Path Element (CWE-427)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-49571",
    "datePublished": "2025-08-12T20:36:07.533Z",
    "dateReserved": "2025-06-06T15:42:09.519Z",
    "dateUpdated": "2025-08-13T20:12:59.292Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-19228

CVE-2025-49571 (GCVE-0-2025-49571)

Tags

Sightings

Nomenclature