What is Adobe's November 2025 security update?

Adobe's November 2025 security update patches multiple vulnerabilities across multiple products, primarily affecting Creative Cloud applications that could lead to arbitrary code execution. The updates address critical vulnerabilities in Adobe InDesign, InCopy, Photoshop, Illustrator, Illustrator on iPad, Pass Authentication Android SDK, Substance 3D Stager, and Format Plugins.

Which Adobe products are affected by the November 2025 security updates?

The affected products include Adobe InDesign, Adobe InCopy, Adobe Photoshop, Adobe Illustrator (desktop and iPad versions), Adobe Pass Authentication Android SDK, Adobe Substance 3D Stager, and Adobe Format Plugins. Most of these are Creative Cloud applications used for design, photography, and content creation.

What vulnerabilities affect Adobe InDesign?

Adobe InDesign has four critical vulnerabilities: CVE-2025-61814 and CVE-2025-61815 (Use After Free vulnerabilities with CVSS score 7.8), and CVE-2025-61824 and CVE-2025-61832 (Heap-based Buffer Overflow vulnerabilities with CVSS score 7.8). All could lead to arbitrary code execution. Affected versions include Adobe InDesign ID20.5 and earlier, and ID19.5.5 and earlier.

What vulnerabilities affect Adobe InCopy?

Adobe InCopy has three critical vulnerabilities: CVE-2025-61816 (Heap-based Buffer Overflow), CVE-2025-61817 and CVE-2025-61818 (Use After Free vulnerabilities). All have a CVSS score of 7.8 and could lead to arbitrary code execution. Affected versions include Adobe InCopy 20.5 and earlier, and 19.5.5 and earlier.

What vulnerabilities affect Adobe Photoshop?

Adobe Photoshop has one critical vulnerability: CVE-2025-61819 (CVSS score 7.8), a Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution. The affected version is Photoshop 2025 26.8.1 and earlier versions on Windows.

What vulnerabilities affect Adobe Illustrator?

Adobe Illustrator (desktop) has two critical vulnerabilities: CVE-2025-61820 (Heap-based Buffer Overflow) and CVE-2025-61831 (Out-of-bounds Write), both with CVSS score 7.8 that could lead to arbitrary code execution. Affected versions include Illustrator 2025 29.8.2 and earlier, and Illustrator 2024 28.7.10 and earlier.

What vulnerabilities affect Adobe Illustrator on iPad?

Adobe Illustrator on iPad has five critical vulnerabilities: CVE-2025-61826 and CVE-2025-61836 (Integer Underflow vulnerabilities), CVE-2025-61827 and CVE-2025-61829 (Heap-based Buffer Overflow vulnerabilities), and CVE-2025-61828 (Out-of-bounds Write vulnerability). All have CVSS score 7.8 and could lead to arbitrary code execution. The affected version is Adobe Illustrator on iPad 3.0.9 and earlier.

What vulnerabilities affect Adobe Substance 3D Stager?

Adobe Substance 3D Stager has four critical vulnerabilities: CVE-2025-61833 (Out-of-bounds Read), CVE-2025-61834 and CVE-2025-64531 (Use After Free vulnerabilities), and CVE-2025-61835 (Integer Underflow). All have CVSS score 7.8 and could lead to arbitrary code execution. The affected version is Adobe Substance 3D Stager 3.1.5 and earlier.

What vulnerabilities affect Adobe Format Plugins?

Adobe Format Plugins has three critical vulnerabilities: CVE-2025-61837 and CVE-2025-61838 (Heap-based Buffer Overflow vulnerabilities), and CVE-2025-61839 (Out-of-bounds Read vulnerability), all with CVSS score 7.8 that could lead to arbitrary code execution. Additionally, there are six important vulnerabilities (CVE-2025-61840 through CVE-2025-61845) with CVSS score 5.5 that could lead to memory exposure. The affected version is Adobe Format Plugins 1.1.1 and earlier.

What vulnerability affects Adobe Pass Authentication Android SDK?

Adobe Pass Authentication Android SDK has one critical vulnerability: CVE-2025-61830 (CVSS score 7.1), an Incorrect Authorization vulnerability that could lead to security feature bypass. The affected version is Adobe Pass Authentication Android SDK 3.7.3 and earlier.

What types of vulnerabilities are included in Adobe's November 2025 update?

The vulnerabilities include various types: Use After Free vulnerabilities, Heap-based Buffer Overflow vulnerabilities, Out-of-bounds Write vulnerabilities, Out-of-bounds Read vulnerabilities, Integer Underflow (Wrap or Wraparound) vulnerabilities, and Incorrect Authorization vulnerabilities. Most of these could lead to arbitrary code execution, while some could lead to memory exposure or security feature bypass.

Are these Adobe vulnerabilities being actively exploited?

No, Adobe reports that they are not aware of any exploits in the wild for any of the issues addressed in these updates. However, users are strongly encouraged to update their software to the latest versions as a precautionary measure.

What should Adobe users do about these vulnerabilities?

Users are strongly encouraged to update their software to the latest versions immediately. This applies to all affected Adobe products including InDesign, InCopy, Photoshop, Illustrator, Illustrator on iPad, Pass Authentication Android SDK, Substance 3D Stager, and Format Plugins.

What is the severity level of most Adobe vulnerabilities in this update?

Most vulnerabilities in Adobe's November 2025 update are rated as critical with CVSS scores of 7.8, with one critical vulnerability at 7.1. There are also several important vulnerabilities in Adobe Format Plugins with CVSS scores of 5.5. The critical vulnerabilities could lead to arbitrary code execution, making them high priority for patching.

What is arbitrary code execution?

Arbitrary code execution means that an attacker could potentially execute malicious code on a victim's system by exploiting the vulnerability. In the context of these Adobe vulnerabilities, if successfully exploited, an attacker could run unauthorized code with the same privileges as the affected application, potentially leading to system compromise, data theft, or further malicious activities.

Advisory

Adobe releases November 2025 patches for multiple products

published: Nov. 11, 2025

Take action: This month prioritze patching of Adobe Creative Cloud applications (InDesign, InCopy, Photoshop, Illustrator, Substance 3D Stager, Format Plugins). This is not a panic mode patch, but don't ignore the patch. Hackers love when we ignore patches.

Learn More

Adobe has released the November 2025 security updates patching vulnerabilities across multiple products. The updates multiple vulnerabilities, primarily affecting Creative Cloud applications that could lead to arbitrary code execution.

Adobe InDesign

Critical vulnerabilities

CVE-2025-61814 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
CVE-2025-61815 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
CVE-2025-61824 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
CVE-2025-61832 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.

Affected Versions:

Adobe InDesign ID20.5 and earlier versions
Adobe InDesign ID19.5.5 and earlier versions

Adobe InCopy

Critical vulnerabilities

CVE-2025-61816 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
CVE-2025-61817 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
CVE-2025-61818 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.

Affected Versions:

Adobe InCopy 20.5 and earlier versions
Adobe InCopy 19.5.5 and earlier versions

Adobe Photoshop

Critical vulnerabilities

CVE-2025-61819 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.

Affected Versions:

Photoshop 2025 26.8.1 and earlier versions (Windows)

Adobe Illustrator

Critical vulnerabilities

CVE-2025-61820 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
CVE-2025-61831 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.

Affected Versions:

Illustrator 2025 29.8.2 and earlier versions
Illustrator 2024 28.7.10 and earlier versions

Adobe Illustrator on iPad

Critical vulnerabilities

CVE-2025-61826 (CVSS score 7.8) - Integer Underflow (Wrap or Wraparound) vulnerability that could lead to arbitrary code execution.
CVE-2025-61827 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
CVE-2025-61828 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
CVE-2025-61829 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
CVE-2025-61836 (CVSS score 7.8) - Integer Underflow (Wrap or Wraparound) vulnerability that could lead to arbitrary code execution.

Affected Versions:

Adobe Illustrator on iPad 3.0.9 and earlier versions

Adobe Pass Authentication Android SDK

Critical vulnerabilities

CVE-2025-61830 (CVSS score 7.1) - Incorrect Authorization vulnerability that could lead to security feature bypass.

Affected Versions:

Adobe Pass Authentication Android SDK 3.7.3 and earlier versions

Adobe Substance 3D Stager

Critical vulnerabilities

CVE-2025-61833 (CVSS score 7.8) - Out-of-bounds Read vulnerability that could lead to arbitrary code execution.
CVE-2025-61834 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
CVE-2025-64531 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
CVE-2025-61835 (CVSS score 7.8) - Integer Underflow (Wrap or Wraparound) vulnerability that could lead to arbitrary code execution.

Affected Versions:

Adobe Substance 3D Stager 3.1.5 and earlier versions

Adobe Format Plugins

Critical vulnerabilities

CVE-2025-61837 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
CVE-2025-61838 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
CVE-2025-61839 (CVSS score 7.8) - Out-of-bounds Read vulnerability that could lead to arbitrary code execution.

Important vulnerabilities

CVE-2025-61840 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory exposure.
CVE-2025-61841 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory exposure.
CVE-2025-61842 (CVSS score 5.5) - Use After Free vulnerability that could lead to memory exposure.
CVE-2025-61843 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory exposure.
CVE-2025-61844 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory exposure.
CVE-2025-61845 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory exposure.

Affected Versions:

Adobe Format Plugins 1.1.1 and earlier versions

Adobe reports that they are not aware of any exploits in the wild for any of the issues addressed in these updates. Users are strongly encouraged to update their software to the latest versions.

Adobe releases November 2025 patches for multiple products

Read More
Researchers discover exploitation code that uses LogoFAIL UEFI …
Adobe releases January 2025 patches for multiple products
Hackers abuse outdated D-Link routers for botnets
Microsoft confirms Windows April 2025 security update creates …
Google patches fourth actively exploited Chrome flaw in …