Adobe Addresses Major Security Flaws in Software Products
On June 10, 2025, Adobe released crucial security updates to tackle a significant number of vulnerabilities within its software suite, amounting to a total of 254 flaws. The bulk of these vulnerabilities are concentrated in Adobe Experience Manager (AEM), with 225 flaws specifically linked to this product.
Focus on Adobe Experience Manager
Among the 254 vulnerabilities, a staggering 225 are found within AEM, affecting both the AEM Cloud Service (CS) and all versions leading up to and including 6.5.22. Adobe has remedied these issues in the latest AEM Cloud Service Release 2025.5 and version 6.5.23, urging users to upgrade to safeguard their systems.
Adobe has indicated that successful exploitation of these vulnerabilities could lead to serious consequences, including arbitrary code execution, privilege escalation, and security feature bypass. These potential threats highlight the need for immediate attention from users relying on Adobe’s offerings.
Cross-Site Scripting Vulnerabilities
A majority of the identified vulnerabilities fall under the category of cross-site scripting (XSS), specifically a combination of stored XSS and DOM-based XSS. This type of vulnerability can be particularly dangerous as it allows an attacker to execute arbitrary code. Adobe credited several security researchers for their work in identifying these XSS flaws, including Jim Green, Akshay Sharma, and lpi.
Critical Vulnerabilities That Need Attention
Among the vulnerabilities addressed this month, one of the most severe is linked to Adobe Commerce and Magento Open Source. A critical vulnerability, known as CVE-2025-47110, has been rated with a CVSS score of 9.1. This reflected XSS vulnerability poses a significant risk by potentially permitting the execution of arbitrary code.
Additionally, Adobe has rectified an improper authorization flaw, denoted as CVE-2025-43585, which carries a CVSS score of 8.2. This flaw could allow an attacker to bypass critical security measures, further underscoring the importance of timely updates.
Affected Versions
The vulnerabilities span various versions of Adobe’s products, which include:
- Adobe Commerce: Versions 2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier, and 2.4.4-p13 and earlier.
- Adobe Commerce B2B: Versions 1.5.2 and earlier, 1.4.2-p5 and earlier, 1.3.5-p10 and earlier, 1.3.4-p12 and earlier, and 1.3.3-p13 and earlier.
- Magento Open Source: Versions 2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, and 2.4.5-p12 and earlier.
These details emphasize the need for users running outdated versions to perform updates as soon as possible.
Additional Vulnerabilities
Beyond the significant AEM vulnerabilities, Adobe has also addressed four additional code execution flaws found in Adobe InCopy and Substance 3D Sampler. These vulnerabilities, rated at a CVSS score of 7.8, reflect the ongoing security challenges across Adobe’s product line.
Recommendations for Users
While there are currently no known exploits in the wild, Adobe strongly advises users to upgrade their instances to the latest versions to effectively mitigate potential threats. Keeping software up to date is a fundamental practice in maintaining robust cybersecurity defenses.
In summary, Adobe’s recent security updates underscore the critical nature of timely patching and vigilance in cybersecurity, particularly for organizations that rely on its software tools. Staying informed about vulnerabilities and acting swiftly can significantly reduce the risk of exploitation.
