Adobe releases October 2025 patches for multiple products
Take action: If you are using Adobe Connect, patch that first. Then high priority patching is Adobe Commerce/Magento and all Adobe Creative Cloud applications (Bridge, Animate, Illustrator, Dimension, FrameMaker, and Substance 3D products). Then review the advisory for the rest of the Adobe products you use.
Learn More
Adobe has released the October 2025 security updates patching vulnerabilities of multiple products. The most critical vulnerability is in Adobe Connect, tracked as CVE-2025-49553 (CVSS score 9.3), a DOM-based Cross-site Scripting (XSS) vulnerability that could lead to arbitrary code execution without requiring authentication. This flaw allows attackers to execute arbitrary code with low complexity and no privileges required, making it particularly severe.
Critical vulnerabilities
- CVE-2025-49553 (CVSS score 9.3) - Cross-site Scripting (DOM-based XSS) vulnerability that could lead to arbitrary code execution.
- CVE-2025-49552 (CVSS score 7.3) - Cross-site Scripting (DOM-based XSS) vulnerability that could lead to arbitrary code execution.
Moderate vulnerabilities
- CVE-2025-54196 (CVSS score 3.1) - URL Redirection to Untrusted Site ('Open Redirect') vulnerability that could lead to security feature bypass.
Affected Versions:
- Adobe Connect 12.9 and earlier versions
Adobe Commerce and Magento Open Source
Critical vulnerabilities
- CVE-2025-54263 (CVSS score 8.8) - Improper Access Control vulnerability that could lead to security feature bypass.
- CVE-2025-54264 (CVSS score 8.1) - Cross-site Scripting (Stored XSS) vulnerability that could lead to privilege escalation.
Important vulnerabilities
- CVE-2025-54265 (CVSS score 5.9) - Incorrect Authorization vulnerability that could lead to security feature bypass.
- CVE-2025-54266 (CVSS score 4.8) - Cross-site Scripting (Stored XSS) vulnerability that could lead to arbitrary code execution.
- CVE-2025-54267 (CVSS score 6.5) - Incorrect Authorization vulnerability that could lead to privilege escalation.
Affected Versions:
- Adobe Commerce 2.4.9-alpha2 and earlier versions, 2.4.8-p2 and earlier versions, 2.4.7-p7 and earlier versions, 2.4.6-p12 and earlier versions, 2.4.5-p14 and earlier versions, 2.4.4-p15 and earlier versions
- Adobe Commerce B2B 1.5.3-alpha2 and earlier versions, 1.5.2-p2 and earlier versions, 1.4.2-p7 and earlier versions, 1.3.5-p12 and earlier versions, 1.3.4-p14 and earlier versions, 1.3.3-p15 and earlier versions
- Magento Open Source 2.4.9-alpha2 and earlier versions, 2.4.8-p2 and earlier versions, 2.4.7-p7 and earlier versions, 2.4.6-p12 and earlier versions, 2.4.5-p14 and earlier versions
Critical vulnerabilities
- CVE-2025-54268 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
Important vulnerabilities
- CVE-2025-54278 (CVSS score 5.5) - Heap-based Buffer Overflow vulnerability that could lead to memory exposure.
Affected Versions:
- Adobe Bridge 14.1.8 (LTS) and earlier versions
- Adobe Bridge 15.1.1 and earlier versions
Critical vulnerabilities
- CVE-2025-54279 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
- CVE-2025-61804 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
Important vulnerabilities
- CVE-2025-54269 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory exposure.
- CVE-2025-54270 (CVSS score 5.5) - NULL Pointer Dereference vulnerability that could lead to memory exposure.
Affected Versions:
- Adobe Animate 2023 23.0.13 and earlier versions
- Adobe Animate 2024 24.0.10 and earlier versions
Critical vulnerabilities
- CVE-2025-54283 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
- CVE-2025-54284 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
Affected Versions:
- Illustrator 2025 29.7 and earlier versions
- Illustrator 2024 28.7.9 and earlier versions
Critical vulnerabilities
- CVE-2025-61798 (CVSS score 7.8) - Out-of-bounds Read vulnerability that could lead to arbitrary code execution.
- CVE-2025-61799 (CVSS score 7.8) - Out-of-bounds Read vulnerability that could lead to arbitrary code execution.
- CVE-2025-61800 (CVSS score 7.8) - Integer Overflow or Wraparound vulnerability that could lead to arbitrary code execution.
- CVE-2025-61801 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
Affected Versions:
- Adobe Dimension 4.1.4 and earlier versions
Critical vulnerabilities
- CVE-2025-54281 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
- CVE-2025-54282 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
Affected Versions:
- Adobe FrameMaker 2020 Release Update 9 and earlier versions
- Adobe FrameMaker 2022 Release Update 7 and earlier versions
Critical vulnerabilities
- CVE-2025-54273 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
- CVE-2025-54274 (CVSS score 7.8) - Stack-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
- CVE-2025-54280 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
Important vulnerabilities
- CVE-2025-54275 (CVSS score 5.5) - Out-of-bounds Write vulnerability that could lead to application denial-of-service.
Affected Versions:
- Substance 3D Viewer 0.25.2 and earlier versions
Critical vulnerabilities
- CVE-2025-54276 (CVSS score 7.8) - Out-of-bounds Read vulnerability that could lead to arbitrary code execution.
Affected Versions:
- Substance 3D Modeler 1.22.3 and earlier versions
Critical vulnerabilities
- CVE-2025-61802 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
- CVE-2025-61803 (CVSS score 7.8) - Integer Overflow or Wraparound vulnerability that could lead to arbitrary code execution.
- CVE-2025-61805 (CVSS score 7.8) - Out-of-bounds Read vulnerability that could lead to arbitrary code execution.
- CVE-2025-61806 (CVSS score 7.8) - Out-of-bounds Read vulnerability that could lead to arbitrary code execution.
- CVE-2025-61807 (CVSS score 7.8) - Integer Overflow or Wraparound vulnerability that could lead to arbitrary code execution.
Affected Versions:
- Substance 3D Stager 3.1.4 and earlier versions
Adobe Experience Manager Screens
Important vulnerabilities
- CVE-2025-54272 (CVSS score 5.4) - Cross-site Scripting (Reflected XSS) vulnerability that could lead to arbitrary code execution.
- CVE-2025-54296 (CVSS score 5.4) - Cross-site Scripting (Stored XSS) vulnerability that could lead to arbitrary code execution.
- CVE-2025-54297 (CVSS score 5.4) - Cross-site Scripting (Stored XSS) vulnerability that could lead to arbitrary code execution.
Affected Versions:
- Adobe Experience Manager (AEM) Screens AEM 6.5.22 Screens FP11.6
Creative Cloud Desktop Application
Important vulnerabilities
- CVE-2025-54271 (CVSS score 5.3) - Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could lead to arbitrary file system write.
Affected Versions:
- Creative Cloud Desktop Application 6.7.0.278 and earlier versions (macOS only)
Adobe reports that they are not aware of any exploits in the wild for any of the issues addressed in these updates. However, users are strongly encouraged to update their software to the latest versions.
