Patchday: Malicious code gaps in Adobe Acrobat, InDesign & Co. closed
Adobe's developers have closed several vulnerabilities in various products with security updates.
(Image: r.classen/Shutterstock.com)
Attackers can exploit vulnerabilities in Adobe Acrobat, Commerce, Experince Manager, InCopy, InDesign, Substance 3D Painter and Substance 3D Sampler. Adobe is making updates available for download as part of the June Patchday.
Several points of attack
Adobe classifies the majority of the vulnerabilities as critical. For example, attackers can use a vulnerability (CVE-2025-43573 / EUVD-2025-17828, CVSS 7.8, risk "high") in Acrobat and Reader under macOS and Windows to trigger memory errors (Use After Free) in an unspecified way. They can then execute malicious code, which usually leads to the complete compromise of a computer.
Adobe Commerce and Magento Open Source are also vulnerable to malicious code attacks (e.g. CVE-2025-47110 / EUVD-2025-17706, CVSS 9.1, risk "critical"). Attackers can also bypass security functions here (CVE-2025-43585 / EUVD-2025-17708, CVSS 8.2,"high" risk).
Videos by heise
Admins can find further information on the security vulnerabilities and patched versions in the linked warning messages:
- Adobe Acrobat and Reader
- Adobe Commerce
- Adobe Experience Manager
- Adobe InCopy
- Adobe InDesign
- Substance 3D Painter
- Substance 3D Sampler
(des)
