What vulnerabilities were fixed in Adobe Acrobat and Acrobat Reader?

Nine vulnerabilities were identified in Acrobat and Acrobat Reader, with six critical ones: CVE-2025-27174, CVE-2025-27158, CVE-2025-27159, CVE-2025-27160, CVE-2025-27161, and CVE-2025-27162. These include Use After Free flaws, Access of Uninitialized Pointer issues, and Out-of-bounds Read vulnerabilities, all enabling arbitrary code execution with a CVSS score of 7.8.

What versions of Adobe Acrobat are affected by the vulnerabilities?

Affected versions include Acrobat DC (Continuous): 25.001.20428 and earlier, Acrobat Reader DC (Continuous): 25.001.20428 and earlier, Acrobat 2024 (Classic 2024): 24.001.30225 and earlier, Acrobat 2020 (Classic 2020): 20.005.30748 and earlier, and Acrobat Reader 2020 (Classic 2020): 20.005.30748 and earlier.

What vulnerabilities were fixed in Adobe Substance 3D Sampler?

Seven critical vulnerabilities were identified in Adobe Substance 3D Sampler (CVE-2025-24439 through CVE-2025-24445), including Heap-based Buffer Overflow and Out-of-bounds Write vulnerabilities enabling arbitrary code execution. These affect Adobe Substance 3D Sampler version 4.5.2 and earlier versions on all platforms.

What vulnerabilities were fixed in Adobe InDesign?

Nine vulnerabilities were identified in Adobe InDesign, with seven critical ones: CVE-2025-24452, CVE-2025-24453, CVE-2025-27166, CVE-2025-27171, CVE-2025-27175, CVE-2025-27177, and CVE-2025-27178. These include Out-of-bounds Write and Heap-based Buffer Overflow vulnerabilities. Affected versions are Adobe InDesign ID20.1 and earlier, and ID19.5.2 and earlier on Windows and macOS.

Advisory

Adobe releases March 2025 patches for multiple products

Q: What security updates did Adobe release in March 2025?

Adobe released March 2025 security updates fixing vulnerabilities across multiple products, including Acrobat Reader, InDesign, and the Substance 3D product line (Sampler, Painter, Modeler, and Designer), as well as Illustrator.

published: March 12, 2025

Take action: This month Adobe Acrobat and Reader and InDesign take priority. Then focus on the Substance 3D product line. The updates are not hard to apply, so don't delay. This one is easy.

Learn More

Adobe has released March 2025 security updates fixing vulnerabilities across multiple products, including Acrobat Reader, InDesign and the Substance 3D product line.

Acrobat and Acrobat Reader: Nine vulnerabilities were identified, with the following critical ones:

CVE-2025-27174 (CVSS score 7.8) - Use After Free flaw enabling arbitrary code execution
CVE-2025-27158 (CVSS score 7.8) - Access of Uninitialized Pointer enabling arbitrary code execution
CVE-2025-27159 (CVSS score 7.8) - Use After Free enabling arbitrary code execution
CVE-2025-27160 (CVSS score 7.8) - Use After Free enabling arbitrary code execution
CVE-2025-27161 (CVSS score 7.8) - Out-of-bounds Read enabling arbitrary code execution
CVE-2025-27162 (CVSS score 7.8) - Access of Uninitialized Pointer enabling arbitrary code execution

Affected Versions:

Acrobat DC (Continuous): 25.001.20428 and earlier
Acrobat Reader DC (Continuous): 25.001.20428 and earlier
Acrobat 2024 (Classic 2024): 24.001.30225 and earlier
Acrobat 2020 (Classic 2020): 20.005.30748 and earlier
Acrobat Reader 2020 (Classic 2020): 20.005.30748 and earlier

Adobe Substance 3D Sampler: Seven vulnerabilities were identified, all critical:

CVE-2025-24439 (CVSS score 7.8) - Heap-based Buffer Overflow enabling arbitrary code execution
CVE-2025-24440 (CVSS score 7.8) - Out-of-bounds Write enabling arbitrary code execution
CVE-2025-24441 (CVSS score 7.8) - Out-of-bounds Write enabling arbitrary code execution
CVE-2025-24442 (CVSS score 7.8) - Out-of-bounds Write enabling arbitrary code execution
CVE-2025-24443 (CVSS score 7.8) - Heap-based Buffer Overflow enabling arbitrary code execution
CVE-2025-24444 (CVSS score 7.8) - Out-of-bounds Write enabling arbitrary code execution
CVE-2025-24445 (CVSS score 7.8) - Out-of-bounds Write enabling arbitrary code execution

Affected Versions:

Adobe Substance 3D Sampler: 4.5.2 and earlier versions (All platforms)

Adobe Illustrator: Six vulnerabilities were identified, with the following critical ones:

CVE-2025-27167 (CVSS score 7.8) - Untrusted Search Path enabling arbitrary code execution
CVE-2025-27168 (CVSS score 7.8) - Stack-based Buffer Overflow enabling arbitrary code execution
CVE-2025-27169 (CVSS score 7.8) - Out-of-bounds Write enabling arbitrary code execution

Affected Versions:

Illustrator 2025: 29.2.1 and earlier (Windows and macOS)
Illustrator 2024: 28.7.4 and earlier versions (Windows and macOS

Adobe Substance 3D Painter: Two vulnerabilities were identified, all critical:

CVE-2025-24450 (CVSS score 7.8) - Out-of-bounds Write enabling arbitrary code execution
CVE-2025-24451 (CVSS score 7.8) - Out-of-bounds Write enabling arbitrary code execution

Affected Versions:

Adobe Substance 3D Painter: 10.1.2 and earlier versions (All platforms)

Adobe InDesign: Nine vulnerabilities were identified, with the following critical ones:

CVE-2025-24452 (CVSS score 7.8) - Out-of-bounds Write exposing a memory Leak
CVE-2025-24453 (CVSS score 7.8) - Heap-based Buffer Overflow enabling arbitrary code execution
CVE-2025-27166 (CVSS score 7.8) - Out-of-bounds Write enabling arbitrary code execution
CVE-2025-27171 (CVSS score 7.8) - Heap-based Buffer Overflow enabling arbitrary code execution
CVE-2025-27175 (CVSS score 7.8) - Out-of-bounds Write enabling arbitrary code execution
CVE-2025-27177 (CVSS score 7.8) - Heap-based Buffer Overflow enabling arbitrary code execution
CVE-2025-27178 (CVSS score 7.8) - Out-of-bounds Write exposing a memory Leak

Affected Versions:

Adobe InDesign: ID20.1 and earlier versions (Windows and macOS)
Adobe InDesign: ID19.5.2 and earlier version (Windows and macOS)

Adobe Substance 3D Modeler: Four vulnerabilities were identified, with the following critical ones:

CVE-2025-27181 (CVSS score 7.8) - Use After Free enabling abitrary code execution
CVE-2025-27173 (CVSS score 7.8) - Heap-based Buffer Overflow enabling arbitrary code execution

Affected Versions:

Adobe Substance 3D Modeler: 1.15 and earlier versions (All platforms)

Adobe Substance 3D Designer: Two vulnerabilities were identified, both critical:

CVE-2025-21169 (CVSS score 7.8) - Heap-based Buffer Overflow enabling arbitrary code execution
CVE-2025-27172 (CVSS score 7.8) - Out-of-bounds Write enabling arbitrary code execution

Affected Versions:

Adobe Substance 3D Designer: 14.1 and earlier versions (All platforms)

Adobe states it is not aware of any exploits in the wild for any of the issues addressed in these updates. Users are recommended to update their installations to the newest versions through their respective update mechanisms.

Adobe releases March 2025 patches for multiple products

Read More
Researcher steal passwords from credential managers using new …
Two Google Pixel Android flaws actively exploited
Zenbleed critical flaw reported in AMD Ryzen 2 …
Apple releases updates for actively exploited zero-day vulnerability …
Western Digital reports critical flaw in My Cloud …