What did Adobe release in August 2025?

Adobe released the August 2025 security updates addressing vulnerabilities across multiple products including Adobe Commerce, Substance 3D applications, Creative Cloud products like Photoshop, Illustrator, InDesign, and other software in their portfolio.

How many Adobe products received security updates in August 2025?

Adobe's August 2025 security updates covered 13 different products: Adobe Commerce, Substance 3D Viewer, Animate, Illustrator, Photoshop, Substance 3D Modeler, Substance 3D Painter, Substance 3D Sampler, InDesign, InCopy, Substance 3D Stager, FrameMaker, and Dimension.

Which Adobe products had the most critical vulnerabilities in August 2025?

InDesign had the most critical vulnerabilities with 11 separate critical flaws, followed by InCopy with 8 critical vulnerabilities, and FrameMaker with 4 critical vulnerabilities. All of these could lead to arbitrary code execution.

What is the highest CVSS score among Adobe's August 2025 vulnerabilities?

The highest CVSS score is 8.7 for CVE-2025-49557, a Cross-site Scripting (Stored XSS) vulnerability in Adobe Commerce that could lead to privilege escalation.

Are there any known exploits for these Adobe vulnerabilities?

No, Adobe reports that they are not aware of any exploits in the wild for any of the issues addressed in these August 2025 updates. However, users are strongly encouraged to update their software to the latest versions.

What types of vulnerabilities were most common in Adobe's August 2025 update?

The most common vulnerability types were Out-of-bounds Write vulnerabilities that could lead to arbitrary code execution, Out-of-bounds Read vulnerabilities that could lead to memory leaks, Use After Free vulnerabilities, and Heap-based Buffer Overflow vulnerabilities.

Which Adobe Commerce vulnerabilities should be prioritized?

Priority should be given to CVE-2025-49557 (CVSS 8.7) - Cross-site Scripting vulnerability, CVE-2025-49555 (CVSS 8.1) - Cross-Site Request Forgery vulnerability, and CVE-2025-49554 and CVE-2025-49556 (both CVSS 7.5) for Input Validation and Authorization issues.

Are Adobe Creative Cloud applications affected by these security updates?

Yes, multiple Creative Cloud applications are affected including Photoshop (1 critical vulnerability), Illustrator (2 critical vulnerabilities), InDesign (11 critical vulnerabilities), InCopy (8 critical vulnerabilities), Animate (1 critical vulnerability), and Dimension (1 important vulnerability).

What Adobe Substance 3D products received security updates?

Five Substance 3D products received updates: Substance 3D Viewer (2 critical vulnerabilities), Substance 3D Modeler (3 critical, 10 important vulnerabilities), Substance 3D Painter (1 critical, 8 important vulnerabilities), Substance 3D Sampler (1 important vulnerability), and Substance 3D Stager (1 critical, 1 important vulnerability).

What should Adobe users do about these August 2025 security updates?

Users are strongly encouraged to update their Adobe software to the latest versions immediately. While there are no known exploits in the wild, many of the vulnerabilities could lead to arbitrary code execution, making prompt patching essential for security.

Do these Adobe vulnerabilities affect both commercial and open source products?

Yes, the updates affect both commercial Adobe products and open source software. Magento Open Source versions 2.4.9-alpha1, 2.4.8-p1 and earlier are affected by the same vulnerabilities as the commercial Adobe Commerce platform.

What is the most severe consequence of these Adobe vulnerabilities?

The most severe consequence is arbitrary code execution, which affects the majority of the critical vulnerabilities across products like InDesign, InCopy, Photoshop, Illustrator, Substance 3D applications, and others. This could allow attackers to run malicious code on affected systems.

Advisory

Adobe releases August 2025 patches for multiple products

published: Aug. 13, 2025

Take action: Another very large update release from Adobe. Fortunately, this month no critical flaws in Acrobat/Reader. Prioritize patching of Adobe Commerce & Magento Open Source, Illustrator and InDesign. Then review the rest of the list. Many products carry patches categorized as critical, so a proper review is needed for your organization

Learn More

Adobe has released the August 2025 security updates addressing vulnerabilities across multiple products.

Adobe Commerce

Critical vulnerabilities

CVE-2025-49554 (CVSS score 7.5) - Improper Input Validation vulnerability that could lead to application denial-of-service.
CVE-2025-49555 (CVSS score 8.1) - Cross-Site Request Forgery (CSRF) vulnerability that could lead to privilege escalation.
CVE-2025-49556 (CVSS score 7.5) - Incorrect Authorization vulnerability that could lead to arbitrary file system read.
CVE-2025-49557 (CVSS score 8.7) - Cross-site Scripting (Stored XSS) vulnerability that could lead to privilege escalation.

Important vulnerabilities

CVE-2025-49558 (CVSS score 5.9) - Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could lead to security feature bypass.
CVE-2025-49559 (CVSS score 5.3) - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to security feature bypass.

Affected Versions:

Adobe Commerce 2.4.9-alpha1, 2.4.8-p1 and earlier versions, 2.4.7-p6 and earlier versions, 2.4.6-p11 and earlier versions, 2.4.5-p13 and earlier versions, 2.4.4-p14 and earlier versions
Adobe Commerce B2B 1.5.3-alpha1, 1.5.2-p1 and earlier versions, 1.4.2-p6 and earlier versions, 1.3.5-p11 and earlier versions, 1.3.4-p13 and earlier versions, 1.3.3-p14 and earlier versions
Magento Open Source 2.4.9-alpha1, 2.4.8-p1 and earlier versions, 2.4.7-p6 and earlier versions, 2.4.6-p11 and earlier versions, 2.4.5-p13 and earlier versions

Adobe Substance 3D Viewer

Critical vulnerabilities

CVE-2025-49560 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
CVE-2025-49569 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.

Affected Versions:

Substance 3D Viewer 0.25 and earlier versions

Adobe Animate

Critical vulnerabilities

CVE-2025-49561 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.

Important vulnerabilities

CVE-2025-49562 (CVSS score 5.5) - Use After Free vulnerability that could lead to memory leak.

Affected Versions:

Animate 2023 23.0.12 and earlier versions
Animate 2024 24.0.9 and earlier versions

Adobe Illustrator

Critical vulnerabilities

CVE-2025-49563 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
CVE-2025-49564 (CVSS score 7.8) - Stack-based Buffer Overflow vulnerability that could lead to arbitrary code execution.

Important vulnerabilities

CVE-2025-49567 (CVSS score 5.5) - NULL Pointer Dereference vulnerability that could lead to application denial-of-service.
CVE-2025-49568 (CVSS score 5.5) - Use After Free vulnerability that could lead to arbitrary code execution.

Affected Versions:

Illustrator 2025 29.6.1 and earlier versions
Illustrator 2024 28.7.8 and earlier versions

Adobe Photoshop

Critical vulnerabilities

CVE-2025-49570 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.

Affected Versions:

Photoshop 2025 26.8 and earlier versions
Photoshop 2024 25.12.3 and earlier versions

Adobe Substance 3D Modeler

Critical vulnerabilities

CVE-2025-49571 (CVSS score 7.8) - Uncontrolled Search Path Element vulnerability that could lead to arbitrary code execution.
CVE-2025-49572 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
CVE-2025-49573 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.

Important vulnerabilities

CVE-2025-54186 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.
CVE-2025-54197 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.
CVE-2025-54204 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.
CVE-2025-54198 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.
CVE-2025-54199 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.
CVE-2025-54200 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.
CVE-2025-54201 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.
CVE-2025-54202 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.
CVE-2025-54203 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.
CVE-2025-54235 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.

Affected Versions:

Substance 3D Modeler 1.22.0 and earlier versions

Adobe Substance 3D Painter

Critical vulnerabilities

CVE-2025-54187 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.

Important vulnerabilities

CVE-2025-54188 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.
CVE-2025-54189 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.
CVE-2025-54190 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.
CVE-2025-54191 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.
CVE-2025-54192 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.
CVE-2025-54193 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.
CVE-2025-54194 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.
CVE-2025-54195 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.

Affected Versions:

Substance 3D Painter 11.0.2 and earlier versions

Adobe Substance 3D Sampler

Important vulnerabilities

CVE-2025-54205 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.

Affected Versions:

Substance 3D Sampler 5.0.3 and earlier versions

Adobe InDesign

Critical vulnerabilities

CVE-2025-54206 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
CVE-2025-54207 (CVSS score 7.8) - Access of Uninitialized Pointer vulnerability that could lead to arbitrary code execution.
CVE-2025-54208 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
CVE-2025-54209 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
CVE-2025-54210 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
CVE-2025-54211 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
CVE-2025-54212 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
CVE-2025-54213 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
CVE-2025-54224 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
CVE-2025-54225 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
CVE-2025-54226 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.

Important vulnerabilities

CVE-2025-54214 (CVSS score 5.3) - Out-of-bounds Read vulnerability that could lead to memory leak.
CVE-2025-54227 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.
CVE-2025-54228 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.

Affected Versions:

InDesign ID20.4 and earlier versions
InDesign ID19.5.4 and earlier versions

Adobe InCopy

Critical vulnerabilities

CVE-2025-54215 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
CVE-2025-54216 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
CVE-2025-54217 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
CVE-2025-54218 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
CVE-2025-54219 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
CVE-2025-54220 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
CVE-2025-54221 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
CVE-2025-54223 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.

Affected Versions:

InCopy 20.4 and earlier versions
InCopy 19.5.4 and earlier versions

Adobe Substance 3D Stager

Critical vulnerabilities

CVE-2025-54222 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.

Important vulnerabilities

CVE-2025-54237 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.

Affected Versions:

Substance 3D Stager 3.1.3 and earlier versions

Adobe FrameMaker

Critical vulnerabilities

CVE-2025-54229 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
CVE-2025-54230 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
CVE-2025-54231 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
CVE-2025-54232 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.

Important vulnerabilities

CVE-2025-54233 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.

Affected Versions:

FrameMaker 2020 Release Update 8 and earlier versions
FrameMaker 2022 Release Update 6 and earlier versions

Adobe Dimension

Important vulnerabilities

CVE-2025-54238 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.

Affected Versions:

Dimension 4.1.3 and earlier versions

Adobe reports that they are not aware of any exploits in the wild for any of the issues addressed in these updates. However, users are strongly encouraged to update their software to the latest versions.

Adobe releases August 2025 patches for multiple products

Read More
Apple Shortcuts vulnerability enables zero-click data theft
Microsoft Edge releases new version patching bugs, and …
Adobe releases september 2024 patches for flaws in …
Windows AFD for WinSock vulnerability exploited by North …
Mozilla addresses multiple High-Severity flaws with Firefox 138 …