Patchday Adobe: Gaps in Acrobat & Co. can allow malicious code onto PCs

Several Adobe applications are vulnerable on macOS and Windows. In some cases, other platforms are also affected. In the worst case, attackers can gain full control of computers.

Protect systems

As the list of security updates is beyond the scope of this article, the warning messages are linked to the listed versions at the end of this article. As usual, Adobe does not reveal any information about possible attack scenarios. So far, there are no indications that attackers are already exploiting the vulnerabilities. However, admins should not wait too long to install the security updates.

Malicious code can reach systems via several gaps in various Acrobat applications (e.g., CVE-2025-54257 “high”). After Effects leaks unspecified content from memory after successful attacks (e.g., CVE-2025-54239 “medium”). Attacks on ColdFusion 2021, 2023, and 2025 can lead to attackers gaining write access to the file system (CVE-2025-54261 “critical”).

In the context of a vulnerability (CVE-2025-54236 “critical”) in Commerce, attackers can bypass security mechanisms. This is also the case with Experience Manager. Dreamweaver is vulnerable to a CSRF attack (CVE-2025-54256 “critical”). Premiere Pro can allow malicious code to pass through (CVE-2025-54242 “high”). Substance 3D Modeler and Substance 3D Viewer are also susceptible to malicious code attacks (e.g., CVE-2025-54243 “high”).

List of security patches:

• Acrobat and Reader
• After Effects
• ColdFusion
• Commerce
• Dreamweaver
• Experience Manager
• Premiere Pro
• Substance 3D Modeler
• Substance 3D Viewer

(des)