Patchday Adobe: Malware attacks on InDesign and Photoshop possible

Various Adobe applications are vulnerable due to vulnerabilities. Adobe's May Patchday security updates close vulnerabilities in Animate, Bridge, ColdFusion, Connect, Dreamweaver, InDesign, Illustrator, Lightroom, Photoshop, Substance 3D Modeler, Substance 3D Painter and Substance 3D Stager.

Admins should ensure that the applications are up-to-date. The developers have prepared the following editions against possible attacks:

• Animate 2023 23.0.12 macOS, Windows
• Animate 2024 24.0.9 macOS, Windows
• Bridge 14.1.7 macOS, Windows
• Bridge 15.0.4 macOS, Windows
• ColdFusion 2021 Update 20 all platforms
• ColdFuison 2023 Update 14 all platforms
• ColdFusion 2025 Update 2 all platforms
• Connect 12.9 all platforms
• Dreamweaver 21.5 macOS, Windows
• InDesign ID19.5.3 macOS, Windows
• InDesign ID20.3 macOS, Windows
• Illustrator 28.7.6 macOS, Windows
• Illustrator 29.4 macOS, Windows
• Lightroom 8.3 all platforms
• Photoshop 25.12.3 macOS, Windows
• Photoshop 26.6 macOS, Windows
• Substance 3D Modeler 1.22.0 all platforms
• Substance 3D Painter 11.0.1 all platforms
• Substance 3D Stager 3.1.1 macOS, Windows

Various attacks conceivable

Those who do not install the updates risk denial-of-service and malware attacks. Attackers can use a “critical” vulnerability (CVE-2025-43567) in Connect to gain higher user rights in an unspecified way. Several vulnerabilities (such as CVE-2025-43559) in ColdFusion are also considered “critical”. Attackers can use these vulnerabilities to access files that are not actually accessible.

So far, there have been no reports of attackers exploiting the vulnerabilities. However, admins should not wait too long to install the patches. Adobe lists further information in the following warning messages:

• Animate
• Bridge
• ColdFusion
• Connect
• Dreamweaver
• InDesign
• Illustrator
• Lightroom
• Photoshop
• Substance 3D Modeler
• Substance 3D Painter
• Substance 3D Stager

(des)