Do Son 
Adobe has released a sweeping security update, addressing a staggering 254 vulnerabilities across its product suite. The overwhelming majority—225 flaws—were discovered in Adobe Experience Manager (AEM), including its cloud-based Cloud Service and all builds up to and including version 6.5.22. These issues were rectified in the release of AEM Cloud Service 2025.5 and version 6.5.23.
According to the company, successful exploitation of these vulnerabilities could lead to arbitrary code execution, privilege escalation, and circumvention of security mechanisms. Nearly all identified flaws were classified as cross-site scripting (XSS), specifically persistent (stored) and DOM-based XSS attacks. These vulnerabilities allow malicious JavaScript code to be injected and executed within a victim’s browser upon interaction with compromised content.
The vulnerabilities in AEM were discovered and responsibly disclosed by security researchers operating under the pseudonyms Jim Green (green-jam), Akshay Sharma (anonymous_blackzero), and lpi, whose findings enabled Adobe to swiftly remediate the threats.
However, the most critical vulnerability in this update cycle did not affect AEM, but rather Adobe Commerce and Magento Open Source. Tracked as CVE-2025-47110, this reflected XSS flaw received a high CVSS score of 9.1, signifying its potential to allow arbitrary code execution. Additionally, Adobe resolved CVE-2025-43585, an authorization flaw with a severity rating of 8.2, which could enable attackers to bypass protective controls.
The following product versions are vulnerable:
- Adobe Commerce: Versions 2.4.8, 2.4.7-p5 and earlier; 2.4.6-p10 and earlier; 2.4.5-p12 and earlier; 2.4.4-p13 and earlier
- Adobe Commerce B2B: Versions 1.5.2 and earlier; 1.4.2-p5 and earlier; 1.3.5-p10 and earlier; 1.3.4-p12 and earlier; 1.3.3-p13 and earlier
- Magento Open Source: Versions 2.4.8, 2.4.7-p5 and earlier; 2.4.6-p10 and earlier; 2.4.5-p12 and earlier
Additionally, Adobe patched two remote code execution vulnerabilities each in Adobe InCopy (CVE-2025-30327 and CVE-2025-47107) and Substance 3D Sampler (CVE-2025-43581 and CVE-2025-43588). Each of these issues carries a CVSS score of 7.8 and can be triggered by opening specially crafted files, posing a potential risk to users.
As of the time of publication, none of the vulnerabilities were publicly disclosed or known to be exploited in the wild. Nevertheless, Adobe strongly urges all users to update their software to the latest available versions to mitigate any potential security incidents.
Donate