Which Adobe product has the most severe vulnerabilities in this update?

Adobe ColdFusion has the most severe vulnerabilities, with six critical flaws rated at a CVSS score of 9.1 and one at 8.4. These include Improper Input Validation, Improper Access Control, OS Command Injection, and Incorrect Authorization vulnerabilities that could lead to arbitrary code execution, arbitrary file system read, and privilege escalation.

What versions of Adobe ColdFusion are affected by these security vulnerabilities?

The affected versions of Adobe ColdFusion include: ColdFusion 2025 (Update 1), ColdFusion 2023 (Update 13 and earlier versions), and ColdFusion 2021 (Update 19 and earlier versions).

What critical vulnerability was found in Adobe Connect?

Adobe Connect has a critical vulnerability (CVE-2025-43567) with a CVSS score of 9.3, making it the highest-rated vulnerability in this update. This is a Cross-site Scripting (Reflected XSS) vulnerability that could lead to privilege escalation. Adobe Connect 12.8 and earlier versions are affected.

Which Adobe creative applications received security updates?

Several Adobe creative applications received security updates, including: Animate, Bridge, Dreamweaver, Illustrator, InDesign, Lightroom, Photoshop, Dimension, Substance 3D Painter, Substance 3D Stager, and Substance 3D Modeler. All of these products had critical vulnerabilities that could lead to arbitrary code execution.

What types of vulnerabilities were found in Adobe Photoshop?

Adobe Photoshop had three critical vulnerabilities: CVE-2025-30324 (Integer Underflow), CVE-2025-30325 (Integer Overflow or Wraparound), and CVE-2025-30326 (Access of Uninitialized Pointer). All three have a CVSS score of 7.8 and could lead to arbitrary code execution if exploited. Affected versions include Photoshop 2025 (26.5 and earlier) and Photoshop 2024 (25.12.2 and earlier).

Which Adobe 3D products had security vulnerabilities patched?

Adobe patched critical vulnerabilities in three 3D products: Substance 3D Painter had one vulnerability (CVE-2025-30322, CVSS 7.8); Substance 3D Stager had five vulnerabilities (all with CVSS 7.8) including Use After Free and Out-of-bounds Write issues; and Substance 3D Modeler had two vulnerabilities (both CVSS 7.8) involving Uncontrolled Search Path Element and Out-of-bounds Write vulnerabilities.

What is the most common type of vulnerability found across these Adobe products?

The most common types of vulnerabilities found across these Adobe products include Out-of-bounds Write, Use After Free, Integer Overflow/Underflow, and Access of Uninitialized Pointer vulnerabilities. Most of these could lead to arbitrary code execution if successfully exploited.

What actions should Adobe users take regarding these security updates?

Adobe users are strongly encouraged to update their software to the latest versions as soon as possible to mitigate potential security risks, even though Adobe is not aware of any exploits in the wild for these vulnerabilities. The updates address critical and important security flaws that could potentially lead to arbitrary code execution, privilege escalation, and other serious security issues if left unpatched.

Advisory

Adobe releases May 2025 patches for multiple products

published: May 14, 2025

Take action: This month the highest priority is Adobe ColdFusion and Adobe Connect, which have the most critical flaws. Then Photoshop. Review the rest of the advisory for the rest, almost all have vulnerabilities.

Learn More

Adobe has released significant security updates on May 13, 2025, addressing multiple vulnerabilities across various products. These updates include patches for critical and important security flaws that could potentially lead to arbitrary code execution, privilege escalation, arbitrary file system read, memory leaks, and application denial-of-service.

Adobe has confirmed that it is not aware of any exploits in the wild for any of the issues addressed in these updates. However, users are strongly encouraged to update their software to the latest versions to mitigate potential security risks.

Adobe ColdFusion

Critical flaws

CVE-2025-43559 (CVSS score 9.1) - Improper Input Validation vulnerability that could lead to arbitrary file system read.
CVE-2025-43560 (CVSS score 9.1) - Improper Input Validation vulnerability that could lead to arbitrary code execution.
CVE-2025-43561 (CVSS score 9.1) - Improper Access Control vulnerability that could lead to arbitrary file system read.
CVE-2025-43562 (CVSS score 9.1) - OS Command Injection vulnerability that could lead to arbitrary code execution.
CVE-2025-43563 (CVSS score 9.1) - Improper Access Control vulnerability that could lead to privilege escalation.
CVE-2025-43564 (CVSS score 9.1) - Incorrect Authorization vulnerability that could lead to arbitrary code execution.
CVE-2025-43565 (CVSS score 8.4) - Improper Access Control vulnerability that could lead to arbitrary code execution.

Affected Versions:

ColdFusion 2025 (Update 1)
ColdFusion 2023 (Update 13 and earlier versions)
ColdFusion 2021 (Update 19 and earlier versions)

Adobe Connect

Critical vulnerabilities

CVE-2025-43567 (CVSS score 9.3) - Cross-site Scripting (Reflected XSS) vulnerability that could lead to privilege escalation.

Affected Versions:

Connect 12.8 and earlier versions

Adobe Animate

Critical vulnerabilities

CVE-2025-30328 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
CVE-2025-43555 (CVSS score 7.8) - Integer Underflow vulnerability that could lead to arbitrary code execution.
CVE-2025-43556 (CVSS score 7.8) - Integer Overflow or Wraparound vulnerability that could lead to arbitrary code execution.
CVE-2025-43557 (CVSS score 7.8) - Access of Uninitialized Pointer vulnerability that could lead to arbitrary code execution.

Affected Versions:

Animate 2023 (23.0.11 and earlier versions)
Animate 2024 (24.0.8 and earlier versions)

Adobe Bridge

Critical vulnerabilities

CVE-2025-43545 (CVSS score 7.8) - Access of Uninitialized Pointer vulnerability that could lead to arbitrary code execution.
CVE-2025-43546 (CVSS score 7.8) - Integer Underflow vulnerability that could lead to arbitrary code execution.
CVE-2025-43547 (CVSS score 7.8) - Integer Overflow or Wraparound vulnerability that could lead to arbitrary code execution.

Affected Versions:

Bridge 14.1.6 and earlier versions
Bridge 15.0.3 and earlier versions

Adobe Dreamweaver

Critical vulnerabilities

CVE-2025-30310 (CVSS score 7.8) - Access of Resource Using Incompatible Type ('Type Confusion') vulnerability that could lead to arbitrary code execution.

Affected Versions:

Dreamweaver 21.4 and earlier versions

Adobe Illustrator

Critical vulnerabilities

CVE-2025-30330 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.

Affected Versions:

Illustrator 2025 (29.3 and earlier versions)
Illustrator 2024 (28.7.5 and earlier versions)

Adobe InDesign

Critical vulnerabilities

CVE-2025-30318 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.

Affected Versions:

InDesign ID20.2 and earlier versions
InDesign ID19.5.2 and earlier versions

Adobe Lightroom

Critical vulnerabilities

CVE-2025-27197 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.

Affected Versions:

Lightroom 8.2 and earlier versions

Adobe Photoshop

Critical vulnerabilities

CVE-2025-30324 (CVSS score 7.8) - Integer Underflow vulnerability that could lead to arbitrary code execution.
CVE-2025-30325 (CVSS score 7.8) - Integer Overflow or Wraparound vulnerability that could lead to arbitrary code execution.
CVE-2025-30326 (CVSS score 7.8) - Access of Uninitialized Pointer vulnerability that could lead to arbitrary code execution.

Affected Versions:

Photoshop 2025 (26.5 and earlier versions)
Photoshop 2024 (25.12.2 and earlier versions)

Adobe Dimension

Critical vulnerabilities

CVE-2025-43548 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
CVE-2025-43572 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.

Affected Versions:

Dimension 4.1.1 and earlier versions

Adobe Substance 3D Painter

Critical vulnerabilities

CVE-2025-30322 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.

Affected Versions:

Substance 3D Painter 11.0 and earlier versions

Adobe Substance 3D Stager

Critical vulnerabilities

CVE-2025-43549 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
CVE-2025-43568 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
CVE-2025-43569 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
CVE-2025-43570 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
CVE-2025-43571 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.

Affected Versions:

Substance 3D Stager 3.1.1 and earlier versions

Adobe Substance 3D Modeler

Critical vulnerabilities

CVE-2025-43553 (CVSS score 7.8) - Uncontrolled Search Path Element vulnerability that could lead to arbitrary code execution.
CVE-2025-43554 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.

Affected Versions:

Substance 3D Modeler 1.21.0 and earlier versions

Adobe releases May 2025 patches for multiple products

Read More
Another critical RCE flaw reported in n8n automation …
Salesforce patches five vulnerabilities in Industry Cloud Components
Ongoing attacks on Gladinet's CentreStack and Triofox vulnerabilites
SAP November 2023 patch fixes critical severity flaw …
SAP releases September 2024 patches for 19 security …