Patchday Adobe: Critical malware vulnerabilities threaten ColdFusion & Co.

Vulnerabilities in AEM Forms, After Effects, AEM Screens, Animate, Bridge, ColdFusion, Commerce, FrameMaker, Media Encoder, Photoshop, Premiere Pro and XMP Toolkit SDK put PCs at risk.

So far, there are no reports of attackers exploiting vulnerabilities. However, admins should not delay too long in installing the security updates. Admins can find further information on the vulnerabilities and secured versions in the warning message linked below this message.

Systems can be compromised

Most of the vulnerabilities affect ColdFusion. The developers have closed four “critical” malware vulnerabilities (CVE-2025-24446, CVE-2025-24447, CVE-2025-30281, CVE-2025-30282), among others. It is not clear from the warning message what specific attacks could look like. Obviously, there are various starting points, such as insufficient input validation and unauthorized authentication.

The developers state that they have closed the gaps in ColdFusion 2021 Update 19, ColdFusion 2023 Update 13 and ColdFusion 2025 Update 1.

Security patches available

Further attacks with malicious code are possible on Animate and FrameMaker, among others. Attackers can trigger memory errors at these locations in unspecified ways. To prevent attacks, the developers have released Animate 2023 23.0.11 and Animate 2024 24.0.8 under macOS and Windows. FrameMaker has been secured in the FrameMaker 2020 Update 8 and FrameMaker 2022 Update 6 releases under Windows.

Attackers can also use Photoshop for a malicious code attack (CVE-2025-27198 “high”). The Photoshop 2024 25.12.2 and Photoshop 2025 26.5 versions have been repaired.

Warning messages from Adobe:

• Animate
• Bridge
• ColdFusion
• Commerce
• Experience Manager Forms
• Experience Manager Screens
• FrameMaker
• Media Encoder
• Photoshop
• Premiere Pro
• XMP Toolkit SDK

(des)