Adobe releases July 2025 patches for multiple products

Adobe has released the July 2025 security updates addressing vulnerabilities across multiple products.

Adobe After Effects

Important vulnerabilities

• CVE-2025-47109 (CVSS score 5.5) - NULL Pointer Dereference vulnerability that could lead to application denial-of-service.
• CVE-2025-43587 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.

Affected Versions:

• After Effects 24.6.6 and earlier versions
• After Effects 25.2 and earlier versions

Adobe Substance 3D Viewer

Critical vulnerabilities

• CVE-2025-43582 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.

Important vulnerabilities

• CVE-2025-43583 (CVSS score 5.5) - NULL Pointer Dereference vulnerability that could lead to application denial-of-service.
• CVE-2025-43584 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.

Affected Versions:

• Substance 3D Viewer 0.22 and earlier versions

Adobe Audition

Important vulnerabilities

• CVE-2025-43580 (CVSS score 5.5) - Access of Memory Location After End of Buffer vulnerability that could lead to application denial-of-service.

Affected Versions:

• Audition 24.6.3 and earlier versions
• Audition 25.2 and earlier versions

Adobe InCopy

Critical vulnerabilities

• CVE-2025-47097 (CVSS score 7.8) - Integer Underflow Wrap or Wraparound vulnerability that could lead to arbitrary code execution.
• CVE-2025-47098 (CVSS score 7.8) - Access of Uninitialized Pointer vulnerability that could lead to arbitrary code execution.
• CVE-2025-47099 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.

Affected Versions:

• InCopy 20.3 and earlier versions
• InCopy 19.5.3 and earlier versions

Adobe InDesign

Critical vulnerabilities

• CVE-2025-47136 (CVSS score 7.8) - Integer Underflow (Wrap or Wraparound) vulnerability that could lead to arbitrary code execution.
• CVE-2025-43591 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
• CVE-2025-43592 (CVSS score 7.8) - Access of Uninitialized Pointer vulnerability that could lead to arbitrary code execution.
• CVE-2025-43594 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
• CVE-2025-47103 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
• CVE-2025-47134 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.

Affected Versions:

• InDesign ID20.3 and earlier versions
• InDesign ID19.5.3 and earlier versions

Adobe Connect

Critical vulnerabilities

• CVE-2025-27203 (CVSS score 9.3) - Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution.

Affected Versions:

• Connect Windows App 24 and earlier versions

Adobe Dimension

Critical vulnerabilities

• CVE-2025-30312 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.

Important vulnerabilities

• CVE-2025-47135 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.

Affected Versions:

• Dimension 4.1.2 and earlier versions

Adobe Substance 3D Stager

Important vulnerabilities

• CVE-2025-27165 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.

Affected Versions:

• Substance 3D Stager 3.1.2 and earlier versions\

Adobe Illustrator

Critical vulnerabilities

• CVE-2025-49526 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
• CVE-2025-49527 (CVSS score 7.8) - Stack-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
• CVE-2025-49528 (CVSS score 7.8) - Stack-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
• CVE-2025-49529 (CVSS score 7.8) - Access of Uninitialized Pointer vulnerability that could lead to arbitrary code execution.
• CVE-2025-49530 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
• CVE-2025-49531 (CVSS score 7.8) - Integer Overflow or Wraparound vulnerability that could lead to arbitrary code execution.
• CVE-2025-49532 (CVSS score 7.8) - Integer Underflow (Wrap or Wraparound) vulnerability that could lead to arbitrary code execution.

Important vulnerabilities

• CVE-2025-30313 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.
• CVE-2025-49524 (CVSS score 5.5) - NULL Pointer Dereference vulnerability that could lead to application denial-of-service.
• CVE-2025-49525 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory leak.

Affected Versions:

• Illustrator 2025 (29.5.1 and earlier versions)
• Illustrator 2024 (28.7.6 and earlier versions)

Adobe FrameMaker

Critical vulnerabilities

• CVE-2025-47121 (CVSS score 7.8) - Access of Uninitialized Pointer vulnerability that could lead to arbitrary code execution.
• CVE-2025-47122 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
• CVE-2025-47123 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
• CVE-2025-47124 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
• CVE-2025-47125 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
• CVE-2025-47126 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
• CVE-2025-47127 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
• CVE-2025-47128 (CVSS score 7.8) - Integer Underflow (Wrap or Wraparound) vulnerability that could lead to arbitrary code execution.
• CVE-2025-47129 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
• CVE-2025-47130 (CVSS score 7.8) - Integer Underflow (Wrap or Wraparound) vulnerability that could lead to arbitrary code execution.
• CVE-2025-47131 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
• CVE-2025-47132 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
• CVE-2025-47133 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.

Important vulnerabilities

• CVE-2025-47120 (CVSS score 5.5) - Stack-based Buffer Overflow vulnerability that could lead to memory leak.
• CVE-2025-47119 (CVSS score 5.5) - NULL Pointer Dereference vulnerability that could lead to application denial-of-service.

Affected Versions:

• FrameMaker 2020 Release Update 8 and earlier versions
• FrameMaker 2022 Release Update 6 and earlier versions

Adobe Experience Manager Forms

Critical vulnerabilities

• CVE-2025-49533 (CVSS score 9.8) - Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution.

Affected Versions:

• Adobe Experience Manager (AEM) Forms on JEE 6.5.23.0 and earlier versions

Adobe Experience Manager Screens

Important vulnerabilities

• CVE-2025-49534 (CVSS score 5.4) - Cross-site Scripting (Reflected XSS) vulnerability that could lead to arbitrary code execution.
• CVE-2025-49547 (CVSS score 5.4) - Cross-site Scripting (Reflected XSS) vulnerability that could lead to arbitrary code execution.

Affected Versions:

• Adobe Experience Manager (AEM) Screens AEM 6.5.22 Screens FP11.4

Adobe ColdFusion

Critical vulnerabilities

• CVE-2025-49535 (CVSS score 9.3) - Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read.
• CVE-2025-49551 (CVSS score 8.8) - Use of Hard-coded Credentials vulnerability that could lead to privilege escalation.
• CVE-2025-49536 (CVSS score 8.1) - Incorrect Authorization vulnerability that could lead to security feature bypass.
• CVE-2025-49537 (CVSS score 8.1) - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead to arbitrary file system read.
• CVE-2025-49538 (CVSS score 7.4) - XML Injection (aka Blind XPath Injection) vulnerability that could lead to arbitrary file system read.

Important vulnerabilities

• CVE-2025-49539 (CVSS score 6.5) - Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to security feature bypass.
• CVE-2025-49540 (CVSS score 4.8) - Cross-site Scripting (Stored XSS) vulnerability that could lead to arbitrary code execution.
• CVE-2025-49541 (CVSS score 4.8) - Cross-site Scripting (Stored XSS) vulnerability that could lead to arbitrary code execution.
• CVE-2025-49542 (CVSS score 6.1) - Cross-site Scripting (Stored XSS) vulnerability that could lead to arbitrary code execution.
• CVE-2025-49543 (CVSS score 4.8) - Cross-site Scripting (Stored XSS) vulnerability that could lead to arbitrary code execution.
• CVE-2025-49544 (CVSS score 6.8) - Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to security feature bypass.
• CVE-2025-49545 (CVSS score 6.8) - Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read.

Affected Versions:

• ColdFusion 2025 (Update 2 and earlier versions)
• ColdFusion 2023 (Update 14 and earlier versions)
• ColdFusion 2021 (Update 20 and earlier versions)

Adobe reports that they are not aware of any exploits in the wild for any of the issues addressed in these updates. However, users are strongly encouraged to update their software to the latest versions.