Adobe Releases Patch Fixing 254 Vulnerabilities, Closing High-Severity Security Gaps

Adobe Releases Patch Fixing 254 Vulnerabilities, Closing High-Severity Security Gaps

Posted on By CWS

Jun 10, 2025Ravie LakshmananVulnerability / Cloud Safety
Adobe on Tuesday pushed safety updates to handle a complete of 254 safety flaws impacting its software program merchandise, a majority of which have an effect on Expertise Supervisor (AEM).
Of the 254 flaws, 225 reside in AEM, impacting AEM Cloud Service (CS) in addition to all variations previous to and together with 6.5.22. The problems have been resolved in AEM Cloud Service Launch 2025.5 and model 6.5.23.
“Profitable exploitation of those vulnerabilities may end in arbitrary code execution, privilege escalation, and safety function bypass,” Adobe mentioned in an advisory.
Virtually all of the 225 vulnerabilities have been labeled as cross-site scripting (XSS) vulnerabilities, particularly a mixture of saved XSS and DOM-based XSS, that could possibly be exploited to attain arbitrary code execution.
Adobe has credited safety researchers Jim Inexperienced (green-jam), Akshay Sharma (anonymous_blackzero), and lpi for locating and reporting the XSS flaws.
Probably the most extreme of the failings patched by the corporate as a part of this month’s replace considerations a code execution flaw in Adobe Commerce and Magento Open Supply.

The critical-rated vulnerability, CVE-2025-47110 (CVSS rating: 9.1) is a mirrored XSS vulnerability that might end in arbitrary code execution. Additionally addressed is an improper authorization flaw (CVE-2025-43585, CVSS rating: 8.2) that might result in a safety function bypass.
The next variations are impacted –

Adobe Commerce (2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier, and a couple of.4.4-p13 and earlier)
Adobe Commerce B2B (1.5.2 and earlier, 1.4.2-p5 and earlier, 1.3.5-p10 and earlier, 1.3.4-p12 and earlier, and 1.3.3-p13 and earlier)
Magento Open Supply (2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier)

Of the remaining updates, 4 relate to code execution flaws in Adobe InCopy (CVE-2025-30327, CVE-2025-47107, CVSS scores: 7.8) and Substance 3D Sampler (CVE-2025-43581, CVE-2025-43588, CVSS scores: 7.8).
Whereas not one of the bugs have been listed as publicly identified or exploited within the wild, customers are suggested to replace their situations to the newest model to safeguard in opposition to potential threats.

Discovered this text attention-grabbing? Observe us on Twitter  and LinkedIn to learn extra unique content material we publish.

The Hacker News Tags:, , , , , , , ,

Related Posts

Researchers Warn of Self-Spreading WhatsApp Malware Named SORVEPOTEL Researchers Warn of Self-Spreading WhatsApp Malware Named SORVEPOTEL The Hacker News
Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware The Hacker News
Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication The Hacker News
MintsLoader Drops GhostWeaver via Phishing, ClickFix — Uses DGA, TLS for Stealth Attacks MintsLoader Drops GhostWeaver via Phishing, ClickFix — Uses DGA, TLS for Stealth Attacks The Hacker News
Malicious Pull Request Targets 6,000+ Developers via Vulnerable Ethcode VS Code Extension Malicious Pull Request Targets 6,000+ Developers via Vulnerable Ethcode VS Code Extension The Hacker News
HPE Issues Security Patch for StoreOnce Bug Allowing Remote Authentication Bypass HPE Issues Security Patch for StoreOnce Bug Allowing Remote Authentication Bypass The Hacker News