Adobe’s Latest Security Update: Addressing Over 60 Critical Vulnerabilities
Adobe has recently rolled out a comprehensive set of security patches targeting more than 60 vulnerabilities across 13 different software products. This update, part of Adobe’s routine Patch Tuesday initiative, aims to rectify issues in notable applications like Adobe Commerce, Illustrator, and the Substance 3D suite, ensuring users are better protected against potential threats.
Overview of the Security Updates
The latest Adobe security rollout includes advisories numbered APSB25-71 through APSB25-84, with the exception of APSB25-82. This effort reflects Adobe’s commitment to addressing an increasing range of security threats that could result in serious issues, such as arbitrary code execution, denial-of-service (DoS) conditions, memory leaks, and unauthorized privilege escalation.
Key Fixes to Note
The most urgent patches are categorized under APSB25-71, focusing on several critical vulnerabilities identified in Adobe Commerce and Magento Open Source, impacting versions 2.4.8‑p1 and earlier. Notably, six specific CVEs have been recognized, including:
- CVE-2025-49554: Involves improper input validation, leading to potential DoS attacks.
- CVE-2025-49555: A CSRF vulnerability that may allow privilege escalation.
- CVE-2025-49556: An authentication bypass flaw, enabling unauthorized file system access.
- CVE-2025-49557: A stored XSS vulnerability that can also lead to privilege escalation.
- CVE-2025-49558 & CVE-2025-49559: Security feature bypass vulnerabilities related to TOCTOU and path traversal.
Given the severity of these issues, which Adobe has assigned a priority rating of 2, updates to versions 2.4.8‑p2 and 2.4.7‑p7 are strongly recommended.
Impact on Substance 3D Products
A significant number of vulnerabilities were found within Adobe’s Substance 3D product line, including Viewer, Modeler, Painter, Sampler, and Stager. Patches in bulletins APSB25-72, 76, 77, 78, and 81 address critical code execution flaws primarily arising from heap-based buffer overflows and out-of-bounds writes.
Highlighted CVEs in Substance 3D:
- CVE-2025-49560 and CVE-2025-49569: Linked with the Substance 3D Viewer.
- CVE-2025-49571 to CVE-2025-49573 and CVE-2025-54186 to 54235: Associated with the Substance 3D Modeler.
- CVE-2025-54187 to CVE-2025-54195: Detected in Substance 3D Painter.
- CVE-2025-54205: Relevant to Substance 3D Sampler.
- CVE-2025-54222 and CVE-2025-54237: Affecting the Substance 3D Stager.
These vulnerabilities, primarily due to unsafe memory operations, pose serious risks of system crashes, data corruption, and remote code execution. Although they carry a priority rating of 3—suggesting a need for important but less urgent action—upgrading is highly recommended.
Noteworthy Issues in Popular Creative Software
Adobe Illustrator (APSB25‑74)
A series of critical vulnerabilities were identified in Illustrator versions 2024 and 2025, including:
- CVE-2025-49563: Involves an out-of-bounds write.
- CVE-2025-49564: Related to stack-based buffer overflow.
- CVE-2025-49567: NULL pointer dereference causing potential DoS.
- CVE-2025-49568: A use-after-free vulnerability facilitating code execution.
Users are encouraged to update to Illustrator 2025 version 29.7 or later, and for Illustrator 2024, version 28.7.9 or later is recommended.
Adobe Photoshop (APSB25‑75)
Photoshop has also been affected by a critical out-of-bounds write vulnerability (CVE-2025-49570), which presents risks of arbitrary code execution in versions 2025 and 2024. Users should upgrade to the latest secure versions 26.9 and 25.12.4, respectively.
Adobe Animate (APSB25‑73)
In Adobe Animate, two vulnerabilities were fixed, including a use-after-free flaw (CVE-2025-49561) and a memory leak (CVE-2025-49562). Users are prompted to update to Animate versions 23.0.13 and 24.0.10.
Additional Updates for InDesign, InCopy, and FrameMaker
Adobe’s InDesign (APSB25‑79) and InCopy (APSB25‑80) also received crucial patches addressing heap overflows, use-after-free errors, and out-of-bounds writes. Similar vulnerabilities were patched in FrameMaker (APSB25‑83), emphasizing the need for users to keep their software versions updated for optimal security.
InCopy Fixes:
- CVE-2025-54215 to CVE-2025-54223: These critical vulnerabilities allow for arbitrary code execution, affecting versions 20.4 and 19.5.4 and earlier.
InDesign Fixes:
- CVE-2025-54206 to CVE-2025-54228: Critical memory-related issues requiring immediate updates.
Updates for these applications can be accessed through Creative Cloud or manual installation.
Adobe Dimension Addresses Memory Leak
The update labeled APSB25‑84 pertains to a memory leak vulnerability (CVE-2025-54238) in Adobe Dimension. While there are currently no known exploits associated with this vulnerability, users should update to version 4.1.4 across both Windows and macOS.
Emergent Threats Still Loom
Adobe has confirmed that, as of now, there are no known active exploits for the vulnerabilities rectified in this update. However, the company strongly encourages updating to the patched software versions without delay. Even without active exploitation, vulnerabilities such as buffer overflows and improper input validation pose significant threats.
Contributions from the Security Community
Several independent researchers have played a key role in identifying and responsibly disclosing these vulnerabilities, including:
- Francis Provencher (prl)
- Jony (jony_juice)
- yjdfy
- voidexploit
- Additional contributors: kaiksi, blaklis, akashhamal0x01, wohlie, and others.
Adobe has publicly acknowledged these contributions in their official bulletins, highlighting the importance of collaborative efforts in cybersecurity.
This new set of updates emphasizes the importance of vigilance in maintaining the security of software applications. Users are advised to prioritize these updates to safeguard their systems effectively.
