SecuriTricks - CVE-2025-27167

Description

Illustrator versions 29.2.1, 28.7.4 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. The problem extends to any type of critical resource that the application trusts.

Product(s) Impacted

Vendor	Product	Versions
Adobe	Illustrator	29.2.1, 28.7.4, *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-426

Untrusted Search Path

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	adobe	illustrator	29.2.1	/	/	/	/	/	/	/
a	adobe	illustrator	28.7.4	/	/	/	/	/	/	/
a	adobe	illustrator	/	/	/	/	/	/	/	/

References

https://helpx.adobe.com/security/products/illustrator/apsb25-17.html

CVSS Score

7.8 / 10

CVSS Data - 3.1

Attack Vector: LOCAL
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

View Vector String

Timeline

Published: March 11, 2025, 6:15 p.m.
Last Modified: March 11, 2025, 6:15 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

psirt@adobe.com

CVE-2025-27167