Adobe releases February 2025 patches for multiple products
Take action: This month Adobe Commerce and Magento Open Source are the highest priority. Then move to Illustrator, InDesign, InCopy and Substance3D. Don't delay the Commerce and Magento patches, these are both critical and the platforms are usually exposed to the internet.
Learn More
Adobe has released critical security updates for several products including InDesign, InCopy, Illustrator, Substance 3D Designer, and Adobe Commerce/Magento Open Source. These updates address multiple vulnerabilities of varying severity levels.
Adobe InDesign: Seven vulnerabilities were identified, with the following critical ones:
- CVE-2025-21157 (CVSS score 7.8) - Out-of-bounds Write vulnerability leading to arbitrary code execution
- CVE-2025-21158 (CVSS score 7.8) - Integer Underflow vulnerability leading to arbitrary code execution
- CVE-2025-21121 (CVSS score 7.8) - Out-of-bounds Write vulnerability leading to arbitrary code execution
- CVE-2025-21123 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability leading to arbitrary code execution
Adobe InCopy: One critical vulnerability was identified:
- CVE-2025-21156 (CVSS score 7.8) - Integer Underflow vulnerability leading to arbitrary code execution
Adobe Illustrator: Three critical vulnerabilities were identified
- CVE-2025-21159 (CVSS score 7.8) - Use After Free vulnerability leading to arbitrary code execution
- CVE-2025-21160 (CVSS score 7.8) - Integer Underflow vulnerability leading to arbitrary code execution
- CVE-2025-21163 (CVSS score 7.8) - Stack-based Buffer Overflow vulnerability leading to arbitrary code execution
Adobe Substance 3D Designer: One critical vulnerability was identified
- CVE-2025-21161 (CVSS score 7.8) - Out-of-bounds Write vulnerability leading to arbitrary code execution
Adobe Commerce and Magento Open Source: Multiple critical vulnerabilities were identified:
- CVE-2025-24434 (CVSS score 9.4) - Improper Authorization vulnerability leading to privilege escalation
- CVE-2025-24412 (CVSS score 8.9) - Stored Cross-site Scripting (XSS) vulnerability enabling arbitrary code execution
- CVE-2025-24414 (CVSS score 8.9) - Stored Cross-site Scripting (XSS) vulnerability enabling arbitrary code execution
- CVE-2025-24415 (CVSS score 8.9) - Stored Cross-site Scripting (XSS) vulnerability enabling arbitrary code execution
- CVE-2025-24416 (CVSS score 8.9) - Stored Cross-site Scripting (XSS) vulnerability enabling arbitrary code execution
- CVE-2025-24417 (CVSS score 8.9) - Stored Cross-site Scripting (XSS) vulnerability enabling arbitrary code execution
- CVE-2025-24411 (CVSS score 8.8) - Improper Access Control vulnerability leading to security feature bypass
- CVE-2025-24438 (CVSS score 8.7) - Stored Cross-site Scripting (XSS) vulnerability enabling arbitrary code execution
- CVE-2025-24410 (CVSS score 8.7) - Stored Cross-site Scripting (XSS) vulnerability enabling arbitrary code execution
- CVE-2025-24409 (CVSS score 8.2) - Improper Authorization vulnerability allowing security feature bypass
- CVE-2025-24408 (CVSS score 8.1) - Information Exposure vulnerability leading to privilege escalation
- CVE-2025-24406 (CVSS score 7.5) - Path Traversal vulnerability leading to privilege escalation
- CVE-2025-24407 (CVSS score 7.1) - Incorrect Authorization vulnerability enabling security feature bypass
For Adobe Commerce and Magento Open Source users, an isolated patch is available specifically for CVE-2025-24434 due to its critical nature and high CVSS score.
Adobe has confirmed that they are not aware of any exploits in the wild for any of the addressed vulnerabilities. Users are strongly recommended to update their software to the latest versions through the Creative Cloud desktop app updater or respective product update mechanisms.
