What are the most critical vulnerabilities in Adobe Experience Manager?

The critical flaws in Adobe Experience Manager include CVE-2025-46840 (CVSS score: 8.7) for Improper Authorization that could lead to privilege escalation, and CVE-2025-46837 (CVSS score: 7.1) for Improper Input Validation that could lead to arbitrary code execution.

What critical vulnerabilities affect Adobe Commerce and Magento Open Source?

Adobe Commerce and Magento Open Source have two critical vulnerabilities: CVE-2025-47110 (CVSS score: 9.1), a Reflected XSS vulnerability that could result in arbitrary code execution, and CVE-2025-43585 (CVSS score: 8.2), an improper authorization flaw that could lead to a security feature bypass.

Which Adobe Creative Cloud applications are affected by the June 2025 security updates?

Multiple Adobe Creative Cloud applications are affected, including InCopy (2 critical vulnerabilities), Acrobat and Reader (4 critical vulnerabilities), InDesign (5 critical vulnerabilities), Substance 3D Sampler (2 critical vulnerabilities), and Substance 3D Painter (1 critical vulnerability). All have CVSS scores of 7.8 and could lead to arbitrary code execution.

What types of vulnerabilities are most common in the Adobe June 2025 update?

The most common vulnerability types include cross-site scripting (XSS) vulnerabilities (particularly in AEM), Use After Free vulnerabilities, Out-of-bounds Write vulnerabilities, Heap-based Buffer Overflow, and various flaws that could lead to arbitrary code execution, privilege escalation, and security feature bypass.

Are any of the Adobe vulnerabilities being actively exploited?

None of the bugs have been listed as publicly known or exploited in the wild. However, users are advised to update their instances to the latest version to safeguard against potential threats.

Which Adobe products should organizations prioritize for updates?

Organizations should prioritize updates for Adobe Commerce and Experience Manager due to the critical nature and high CVSS scores of the vulnerabilities addressed. Adobe Commerce has a critical vulnerability with CVSS score 9.1, while AEM has numerous XSS vulnerabilities and critical authorization flaws.

How should organizations apply the Adobe June 2025 security updates?

Organizations should update to AEM Cloud Service Release 2025.5 or later for Experience Manager, update Adobe Commerce and Magento to the latest versions, and update Creative Cloud applications (InCopy, InDesign, Acrobat/Reader, Substance 3D products) via the Creative Cloud desktop app. Given the massive scope of 254 vulnerabilities, systematic updating across all Adobe products is essential.

Advisory

Adobe releases June 2025 patches, addressing 254 vulnerabilities across multiple products

Q: Which Adobe product had the most vulnerabilities in the June 2025 update?

Of the 254 flaws, 225 reside in Adobe Experience Manager (AEM), impacting AEM Cloud Service (CS). Almost all the 225 vulnerabilities have been classified as cross-site scripting (XSS) vulnerabilities, specifically a mix of stored XSS and DOM-based XSS, that could be exploited to achieve arbitrary code execution.

published: June 10, 2025

Take action: This month the highest priority is Adobe Acrobat and Reader and Adobe Commerce and Magento Open Source. Patch them first, because we all have a Reader or Acrobat on our computers, and Commerce/Magento are exposed on the internet. Then patch Adobe Experience Manager because it has a HUGE list of vulnerabilities. Then everything else.

Learn More

Adobe has released the June 2025 security updates addressing a massive total of 254 vulnerabilities across various products. These updates include patches for critical and important security flaws that could potentially lead to arbitrary code execution, privilege escalation, cross-site scripting, security feature bypass, and privilege escalation.

Of the 254 flaws, 225 reside in AEM, impacting AEM Cloud Service (CS).

Adobe Experience Manager

Critical flaws

CVE-2025-46840 (CVSS score: 8.7) - Improper Authorization that could lead to privilege escalation
CVE-2025-46837 (CVSS score: 7.1) - Improper Input Validation that could lead to arbitrary code execution

Almost all the 225 vulnerabilities have been classified as cross-site scripting (XSS) vulnerabilities, specifically a mix of stored XSS and DOM-based XSS, that could be exploited to achieve arbitrary code execution.

Affected Versions:

AEM Cloud Service (prior to Release 2025.5)
AEM 6.5.22 and earlier versions

Adobe Commerce and Magento Open Source

Critical vulnerabilities

CVE-2025-47110 (CVSS score: 9.1) - Reflected XSS vulnerability that could result in arbitrary code execution.
CVE-2025-43585 (CVSS score: 8.2) - Improper authorization flaw that could lead to a security feature bypass.

Affected Versions:

Adobe Commerce (2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier, and 2.4.4-p13 and earlier)
Adobe Commerce B2B (1.5.2 and earlier, 1.4.2-p5 and earlier, 1.3.5-p10 and earlier, 1.3.4-p12 and earlier, and 1.3.3-p13 and earlier)
Magento Open Source (2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier)

Adobe InCopy

Critical vulnerabilities

CVE-2025-30327 (CVSS score: 7.8) - Vulnerability that could lead to arbitrary code execution.
CVE-2025-47107 (CVSS score: 7.8) - Vulnerability that could lead to arbitrary code execution.

Affected Versions:

InCopy versions requiring update via Creative Cloud desktop app

Adobe Acrobat and Reader

Critical vulnerabilities

CVE-2025-43573, CVE-2025-43574 (CVSS score: 7.8) - Use After Free vulnerabilities that could lead to arbitrary code execution.
CVE-2025-43576 (CVSS score: 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
CVE-2025-43575 (CVSS score: 7.8)- Out-of-bounds Write that could lead to arbitrary code execution.

Affected Versions:

Acrobat DC Continuous and Classic versions
Acrobat Reader DC Continuous and Classic versions

Adobe InDesign

Critical vulnerabilities

CVE-2025-30317 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
CVE-2025-43558 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
CVE-2025-43589 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
CVE-2025-43590 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
CVE-2025-43593 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.

Affected Versions:

InDesign versions requiring update via Creative Cloud desktop app

Adobe Substance 3D Sampler

Critical vulnerabilities

CVE-2025-43581 (CVSS score: 7.8) - Vulnerability that could lead to arbitrary code execution.
CVE-2025-43588 (CVSS score: 7.8) - Vulnerability that could lead to arbitrary code execution.

Affected Versions:

Substance 3D Sampler versions requiring update

Adobe Substance 3D Painter

Critical vulnerabilities

CVE-2025-47108 (CVSS score 7.8) - Out-of-bounds Write that could lead to arbitrary code execution

Affected Versions:

Substance 3D Painter versions requiring update

While none of the bugs have been listed as publicly known or exploited in the wild, users are advised to update their instances to the latest version to safeguard against potential threats. Organizations should prioritize updates for Adobe Commerce and Experience Manager due to the critical nature and high CVSS scores of the vulnerabilities addressed.

Adobe releases June 2025 patches, addressing 254 vulnerabilities across multiple products

Read More
CISA warns of active exploitation of legacy D-Link …
Researchers publish aggregated infostealer data that exposed 183 …
CISA warns of active exploitation of three years …
Microsoft October 2025 patch tuesday fixes 172 flaws …
Google releases Chrome 132, fixes 16 flaws including …