Patchday: Adobe protects After Effects & Co. from possible attacks

Due to several software vulnerabilities, attackers can attack systems with the Adobe applications After Effects, Audition, ColdFusion, Connect, Dimension, Experience Manager Forms, Experience Manager Screens, FrameMaker, Illustrator, InCopy, InDesign, Substance 3D Stager, and Substance 3D Viewer. According to Adobe, there are no indications of attacks to date.

Install security patches

The vulnerabilities affect macOS and Windows. The most dangerous is a “critical” vulnerability (CVE-2025-49535) in ColdFusion, which allows attackers to gain read access to system files. It is not yet known how such an attack could take place. However, the ColdFusion 2021 Update 21, ColdFusion 2023 Update 15, and ColdFusion 2025 Update 3 releases are protected.

Vulnerabilities in Connect (CVE-2025-27203) and Experience Manager Forms (CVE-2025-2025-49533) are also classified as “critical”. Malicious code can get onto PCs at these points. A security patch has been implemented in Connect Windows App 25.1 and Experience Manager (AEM) Forms on JEE 6.5.0.0.202505270. InCopy and InDesign are also vulnerable to malicious code attacks. When attackers execute their code on systems, they usually take full control of systems afterwards.

Adobe lists the remaining security patches in the linked warning messages. Unfortunately, it is not clear from the articles how admins can recognize systems that have already been attacked.

• After Effects
• Audition
• ColdFusion
• Connect
• Dimension
• Experience Manager Forms
• Experience Manager Screens
• FrameMaker
• Illustrator
• InCopy
• InDesign
• Substance 3D Stager 
• Substance 3D Viewer

(des)