What products are affected by Adobe's December 2025 security updates?

Adobe's December 2025 security updates affect multiple products including Adobe ColdFusion, Adobe Experience Manager, Adobe DNG Software Development Kit, Adobe Acrobat and Reader, and Adobe Creative Cloud Desktop Application. These updates address vulnerabilities that could lead to arbitrary code execution, privilege escalation, and security feature bypass.

What are the most critical vulnerabilities in Adobe ColdFusion?

The most critical Adobe ColdFusion vulnerabilities include CVE-2025-61808 (CVSS 9.1) for unrestricted file upload, CVE-2025-61809 (CVSS 9.1) for improper input validation leading to security feature bypass, and CVE-2025-61830 (CVSS 9.1) for deserialization of untrusted data. All of these could lead to arbitrary code execution.

Which Adobe ColdFusion versions need to be updated?

Affected ColdFusion versions include ColdFusion 2025 Update 4 and earlier, ColdFusion 2023 Update 16 and earlier, and ColdFusion 2021 Update 22 and earlier. Users should update to the latest versions to address the security vulnerabilities.

Are there any known exploits for these Adobe vulnerabilities?

Adobe reports that they are not aware of any exploits in the wild for any of the issues addressed in the December 2025 security updates. However, users are strongly encouraged to update their software to the latest versions as a precautionary measure.

What types of vulnerabilities were fixed in Adobe Experience Manager?

Adobe Experience Manager updates addressed multiple Cross-site Scripting (XSS) vulnerabilities, including both DOM-based and Stored XSS issues. The most critical vulnerabilities (CVSS 9.3) were CVE-2025-64537 and CVE-2025-64539, which could lead to arbitrary code execution. The updates also addressed a vulnerable third-party component dependency issue.

Advisory

Adobe releases December 2025 patches for multiple products

published: Dec. 9, 2025

Take action: If you're running Adobe ColdFusion, Experience Manager, Acrobat, or Creative Cloud, review the Adobe December 2025 advisory. Prioritize ColdFusion and Experience Manager critical flaws, then Acrobat.

Learn More

Adobe has released the December 2025 security updates patching vulnerabilities across multiple products. The updates address multiple vulnerabilities, primarily affecting Adobe Experience Manager, ColdFusion, and Creative Cloud applications that could lead to arbitrary code execution, privilege escalation, and security feature bypass.

Adobe ColdFusion

Critical vulnerabilities

CVE-2025-61808 (CVSS score 9.1) - Unrestricted Upload of File with Dangerous Type vulnerability that could lead to arbitrary code execution.
CVE-2025-61809 (CVSS score 9.1) - Improper Input Validation vulnerability that could lead to security feature bypass.
CVE-2025-61830 (CVSS score 9.1) - Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution.
CVE-2025-61810 (CVSS score 8.2) - Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution.
CVE-2025-61811 (CVSS score 8.4) - Improper Access Control vulnerability that could lead to arbitrary code execution.
CVE-2025-61812 (CVSS score 8.4) - Improper Input Validation vulnerability that could lead to arbitrary code execution.
CVE-2025-61813 (CVSS score 8.2) - Improper Restriction of XML External Entity Reference vulnerability that could lead to arbitrary file system read.

Important vulnerabilities

CVE-2025-61821 (CVSS score 6.8) - Improper Restriction of XML External Entity Reference vulnerability that could lead to arbitrary file system read.
CVE-2025-61822 (CVSS score 6.2) - Improper Input Validation vulnerability that could lead to arbitrary file system write.
CVE-2025-61823 (CVSS score 6.2) - Improper Restriction of XML External Entity Reference vulnerability that could lead to arbitrary file system read.
CVE-2025-64897 (CVSS score 5.0) - Improper Access Control vulnerability that could lead to privilege escalation.
CVE-2025-64898 (CVSS score 4.3) - Insufficiently Protected Credentials vulnerability that could lead to privilege escalation.

Affected Versions:

ColdFusion 2025 - Update 4 and earlier versions
ColdFusion 2023 - Update 16 and earlier versions
ColdFusion 2021 - Update 22 and earlier versions

Adobe DNG Software Development Kit

Critical vulnerabilities

CVE-2025-64783 (CVSS score 7.8) - Integer Overflow or Wraparound vulnerability that could lead to arbitrary code execution.
CVE-2025-64784 (CVSS score 7.1) - Heap-based Buffer Overflow vulnerability that could lead to memory exposure.
CVE-2025-64893 (CVSS score 7.1) - Out-of-bounds Read vulnerability that could lead to memory exposure.

Important vulnerabilities

CVE-2025-64894 (CVSS score 5.5) - Integer Overflow or Wraparound vulnerability that could lead to application denial-of-service.

Affected Versions:

Adobe DNG Software Development Kit (SDK) - DNG SDK 1.7.0 and earlier versions

Adobe Acrobat and Reader

Critical vulnerabilities

CVE-2025-64785 (CVSS score 7.8) - Untrusted Search Path vulnerability that could lead to arbitrary code execution.
CVE-2025-64899 (CVSS score 7.8) - Out-of-bounds Read vulnerability that could lead to arbitrary code execution.

Moderate vulnerabilities

CVE-2025-64786 (CVSS score 3.3) - Improper Verification of Cryptographic Signature vulnerability that could lead to security feature bypass.
CVE-2025-64787 (CVSS score 3.3) - Improper Verification of Cryptographic Signature vulnerability that could lead to security feature bypass.

Affected Versions:

Acrobat DC Continuous - 25.001.20982 and earlier versions
Acrobat Reader DC Continuous - 25.001.20982 and earlier versions
Acrobat 2024 Classic - Windows: 24.001.30264 and earlier versions, macOS: 24.001.30273 and earlier versions
Acrobat 2020 Classic - Windows: 20.005.30793 and earlier versions, macOS: 20.005.30803 and earlier versions
Acrobat Reader 2020 Classic - Windows: 20.005.30793 and earlier versions, macOS: 20.005.30803 and earlier versions

Adobe Creative Cloud Desktop Application

Important vulnerabilities

CVE-2025-64896 (CVSS score 5.0) - Creation of Temporary File in Directory with Incorrect Permissions vulnerability that could lead to application denial-of-service.

Affected Versions:

Creative Cloud Desktop Application - 6.4.0.361 and earlier versions

Adobe reports that they are not aware of any exploits in the wild for any of the issues addressed in these updates. Users are strongly encouraged to update their software to the latest versions.

Adobe Experience Manager

Critical vulnerabilities

CVE-2025-64537 (CVSS score 9.3) - Cross-site Scripting (DOM-based XSS) vulnerability that could lead to arbitrary code execution.
CVE-2025-64539 (CVSS score 9.3) - Cross-site Scripting (DOM-based XSS) vulnerability that could lead to arbitrary code execution.
CVE-2025-64540 (CVSS score 8.5) - Dependency on Vulnerable Third-Party Component vulnerability that could lead to arbitrary file system read.

Important vulnerabilities: A total of 114 Cross-site Scripting (Stored and DOM-based XSS), all scored as CVSS score 5.4

Affected Versions:

Adobe Experience Manager AEM Cloud Service (CS) - All
Adobe Experience Manager 6.5 LTS - 6.5.23 and earlier versions

Adobe releases December 2025 patches for multiple products

Read More
Google releases new Chrome update updating a high …
Apple releases emergency update for actively exploited Apple …
WhisperPair Flaw Enables Bluetooth Hijacking and Tracking
Critical flaw reported Parallels Desktop, PoC released
Mozilla addresses multiple High-Severity flaws with Firefox 138 …