Adobe releases December 2024 patches for flaws in multiple products, including critical

Adobe released security updates to address multiple vulnerabilities in Adobe software. Both Adobe and CISA encourages users and administrators to review the Adobe Security Bulletins and apply the necessary updates:

Adobe Substance 3D Painter - Multiple critical vulnerabilities have been patched, affecting versions 10.1.1 and earlier. Updates available through version 10.1.2.

• CVE-2024-53957 (CVSS score 7.8) - Critical heap-based buffer overflow enabling arbitrary code execution
• CVE-2024-53958 (CVSS score 7.8) - Critical out-of-bounds write enabling arbitrary code execution

Adobe Animate - Multiple critical vulnerabilities have been addressed, affecting Animate 2023 (23.0.8 and earlier) and 2024 (24.0.5 and earlier) versions.

• CVE-2024-52982 through CVE-2024-52990 (CVSS score 7.8) - Critical improper input validation and integer-related vulnerabilities enabling arbitrary code execution
• CVE-2024-45155, CVE-2024-45156 (CVSS score 7.8) - Critical pointer and memory-related vulnerabilities enabling arbitrary code execution
• CVE-2024-53953, CVE-2024-53954 (CVSS score 7.8) - Critical use-after-free and integer underflow enabling arbitrary code execution

Adobe FrameMaker - One critical vulnerability has been patched, affecting FrameMaker 2020 (Update 7 and earlier) and 2022 (Update 5 and earlier).

• CVE-2024-53959 (CVSS score 7.8) - Critical stack-based buffer overflow enabling arbitrary code execution

Adobe Photoshop - One critical vulnerability has been addressed, affecting Photoshop 2025 version 26.0 and earlier versions.

• CVE-2024-52997 (CVSS score 7.8) - Critical use-after-free vulnerability enabling arbitrary code execution

Adobe Substance 3D Sampler - Multiple critical vulnerabilities have been patched, affecting versions 4.5.1 and earlier.

Adobe InDesign - Multiple critical and important vulnerabilities have been addressed, affecting versions ID19.5 and earlier, and ID18.5.4 and earlier.

Adobe Experience Manager (AEM) - One critical and multiple important vulnerabilities have been patched, affecting versions AEM Cloud Service and 6.5.21 and earlier. Updates available through AEM Cloud Service Release 2024.11 and version 6.5.22.

• CVE-2024-43711 (CVSS score 7.1) - Critical improper input validation vulnerability enabling arbitrary code execution
• Multiple stored XSS vulnerabilities (CVSS score 5.4) enabling arbitrary code execution
• CVE-2024-43729 (CVSS score 6.5) - Important improper authorization enabling security feature bypass

Adobe Connect - Multiple critical vulnerabilities have been addressed, affecting versions Connect 12.6 and earlier, and 11.4.7 and earlier. Updates available through versions 12.7 and 11.4.9.

• CVE-2024-54032 (CVSS score 9.3) - Critical reflected XSS vulnerability enabling arbitrary code execution
• CVE-2024-54036 (CVSS score 9.3) - Critical reflected XSS vulnerability enabling arbitrary code execution
• CVE-2024-54034 (CVSS score 8.0) - Critical reflected XSS enabling arbitrary code execution
• CVE-2024-54035 (CVSS score 7.3) - Critical improper authorization enabling privilege escalation
• Multiple lower severity flaws

Adobe Acrobat and Reader - Multiple critical and important vulnerabilities have been patched, affecting multiple versions across Windows and macOS platforms.

• CVE-2024-49530 (CVSS score 7.0) - Critical use-after-free vulnerability enabling arbitrary code execution
• CVE-2024-49535 (CVSS score 6.3) - Critical XXE vulnerability enabling arbitrary code execution
• CVE-2024-49531 (CVSS score 4.7) - Important NULL pointer dereference enabling denial-of-service
• Multiple out-of-bounds read vulnerabilities (CVSS score 5.5) leading to memory leaks

Adobe Media Encoder - Multiple critical vulnerabilities have been addressed, affecting versions 24.6.3 and earlier, and 25.0 and earlier versions.

• CVE-2024-49551 through CVE-2024-49553 (CVSS score 7.8) - Critical out-of-bounds write and heap-based buffer overflow vulnerabilities enabling arbitrary code execution
• CVE-2024-49554 (CVSS score 5.5) - Important NULL pointer dereference enabling denial-of-service

Adobe Illustrator - Two critical vulnerabilities have been patched, affecting versions Illustrator 2025 (29.0.0) and earlier, and 2024 (28.7.2) and earlier versions.

• CVE-2024-49538 and CVE-2024-49541 (CVSS score 7.8) - Critical out-of-bounds write vulnerabilities enabling arbitrary code execution

Adobe After Effects - One critical vulnerability has been addressed, affecting versions 24.6.2 and earlier, and 25.0.1 and earlier versions.

• CVE-2024-49537 (CVSS score 7.8) - Critical stack-based buffer overflow leading to memory leak

Adobe Bridge - One critical vulnerability has been patched, affecting versions 14.1.3 and earlier, and 15.0 and earlier versions.

• CVE-2024-53955 (CVSS score 7.8) - Critical integer underflow vulnerability enabling arbitrary code execution

Adobe Premiere Pro - One critical vulnerability has been addressed, affecting versions 25.0 and earlier, and 24.6.3 and earlier versions.

• CVE-2024-53956 (CVSS score 7.8) - Critical heap-based buffer overflow enabling arbitrary code execution

Adobe PDFL SDK - One critical vulnerability has been patched, affecting versions PDFL SDK 21.0.0.5 and earlier versions.

• CVE-2024-49513 (CVSS score 7.8) - Critical out-of-bounds write enabling arbitrary code execution

Adobe Substance 3D Modeler - Multiple critical and important vulnerabilities have been addressed, affecting versions 1.14.1 and earlier versions.

• CVE-2024-52999 through CVE-2024-53003 (CVSS score 7.8) - Critical heap-based buffer overflow and out-of-bounds write vulnerabilities enabling arbitrary code execution
• Multiple out-of-bounds read and NULL pointer dereference vulnerabilities (CVSS score 5.5) enabling arbitrary code execution and denial-of-service

Users are advised to review the product alert for the products they use and apply patches.