How to fix CVE-2025-47108?

Within 24 hours: Inventory all Substance3D Painter installations and notify affected users to avoid opening untrusted files. Within 7 days: Implement application whitelisting or disable Substance3D Painter if non-essential; monitor for suspicious file activity from affected users. Within 30 days: Enforce version upgrades when Adobe releases a patch, establish file validation procedures for design assets, and conduct security awareness training on malicious file risks.

Is Substance 3d Painter affected by CVE-2025-47108?

Substance3D Painter versions 11.0.1 and earlier contain a critical vulnerability allowing arbitrary code execution when users open malicious files.

CVE-2025-47108

EUVD-2025-17694 HIGH

2025-06-10 [email protected]

7.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2025-17694

CVE Published

Jun 10, 2025 - 17:23 nvd

HIGH 7.8

Description

Substance3D - Painter versions 11.0.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Analysis

CVE-2025-47108 is an out-of-bounds write vulnerability in Adobe Substance3D Painter versions 11.0.1 and earlier that allows arbitrary code execution with user-level privileges. The vulnerability requires user interaction-specifically opening a malicious file-making it a file-based attack vector. While no CVSS:3.1 score of 7.8 indicates high severity with local attack surface, exploitation depends on social engineering to deliver the malicious file.

Technical Context

This vulnerability is classified as CWE-787 (Out-of-bounds Write), a memory safety issue where the application writes data beyond the boundaries of allocated memory buffers. In Substance3D Painter, a 3D content creation and painting application built on Adobe's proprietary rendering and asset handling libraries, improper bounds checking during file parsing or processing allows an attacker to overwrite adjacent memory regions. The affected CPE is likely cpe:2.3:a:adobe:substance_3d_painter:*:*:*:*:*:*:*:* with versions <=11.0.1. This class of vulnerability typically occurs in native code (C/C++) components handling binary file formats, serialization, or texture/mesh data without adequate validation, leading to heap or stack corruption.

Affected Products

Substance3D Painter (11.0.1 and earlier)

Remediation

Patched Version: Upgrade Substance3D Painter to version 11.1.0 or later (assumed patch version; verify against Adobe official security advisory); priority: High Vendor Advisory: Consult official Adobe Security Bulletin for CVE-2025-47108 at https://helpx.adobe.com/security/products/substance3d_painter/ (typical location; verify current link); priority: Critical Workaround: Until patched, restrict file opening permissions and educate users not to open untrusted or unexpected .spp (Substance3D Painter project) files or related asset files from untrusted sources; priority: Medium Deployment Mitigation: Run Substance3D Painter in sandboxed or virtualized environments where possible to limit code execution impact; priority: Medium

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +39

POC: 0

CVE-2025-47108 vulnerability details – vuln.today

Back

CVE-2025-47108

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-47108

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code