Adobe has issued a new set of security patches addressing more than 60 vulnerabilities across 13 of its widely used software products. This update, part of the company’s routine Adobe Patch Tuesday cycle, includes critical fixes for applications ranging from Adobe Commerce and Illustrator to its Substance 3D suite.
The Adobe security update rollout includes advisories APSB25-71 through APSB25-84 (excluding APSB25-82), reflecting Adobe’s ongoing efforts to resolve a growing array of security threats, many of which could lead to arbitrary code execution, denial-of-service (DoS), memory leaks, and unauthorized privilege escalation.
Decoding the Latest Adobe Security Update
The most pressing fixes in this Adobe security update come under APSB25-71, which addresses multiple critical vulnerabilities in Adobe Commerce, Magento Open Source, and Commerce B2B. Six distinct CVEs were highlighted in this category, affecting versions 2.4.8‑p1 and earlier. These include:
- CVE‑2025‑49554: Improper input validation (DoS)
- CVE‑2025‑49555: CSRF vulnerability (privilege escalation)
- CVE‑2025‑49556: Authentication bypass (arbitrary file system read)
- CVE‑2025‑49557: Stored XSS (privilege escalation)
- CVE‑2025‑49558 & CVE‑2025‑49559: TOCTOU and path traversal vulnerabilities (security feature bypass)
Adobe assigned these issues a priority rating of 2, urging users to update immediately to mitigate the risk of exploitation. The patched versions now extend to 2.4.8‑p2 and 2.4.7‑p7 for Commerce, and up to 1.5.2‑p2 for Commerce B2B.
Substance 3D Products Hit Hard
A notable chunk of the Adobe vulnerabilities was discovered in the Substance 3D product line, including Viewer, Modeler, Painter, Sampler, and Stager, across bulletins APSB25-72, 76, 77, 78, and 81. These include critical code execution bugs caused by heap-based buffer overflows and out-of-bounds writes.
Key CVEs in this category:
- CVE‑2025‑49560 and CVE‑2025‑49569 (Substance 3D Viewer)
- CVE‑2025‑49571 to CVE‑2025‑49573 and CVE‑2025‑54186 to 54235 (Substance 3D Modeler)
- CVE‑2025‑54187 to CVE‑2025‑54195 (Substance 3D Painter)
- CVE‑2025‑54205 (Substance 3D Sampler)
- CVE‑2025‑54222 and CVE‑2025‑54237 (Substance 3D Stager)
These vulnerabilities are largely related to unsafe memory operations, posing risks of crashes, data corruption, and remote code execution. The priority rating across these products is marked as 3, indicating that important but less urgent action is required; however, updates are still strongly advised.
Popular Creative Tools Also Affected
Adobe Illustrator (APSB25‑74)
Multiple high-impact bugs were found in Illustrator 2024 and 2025, including:
- CVE‑2025‑49563: Out-of-bounds write
- CVE‑2025‑49564: Stack-based buffer overflow
- CVE‑2025‑49567: NULL pointer dereference (DoS)
- CVE‑2025‑49568: Use-after-free (code execution)
Users are urged to upgrade to Illustrator 2025 version 29.7 or later and Illustrator 2024 version 28.7.9 or later.
Adobe Photoshop (APSB25‑75)
A critical out-of-bounds write bug (CVE‑2025‑49570) in Photoshop 2025 and 2024 could allow arbitrary code execution. Updated versions are available as 26.9 and 25.12.4, respectively.
Adobe Animate (APSB25‑73)
Two vulnerabilities, including a use-after-free flaw (CVE‑2025‑49561) and a memory leak (CVE‑2025‑49562), were patched in Animate versions 23.0.13 and 24.0.10.
Adobe InDesign, InCopy, and FrameMaker Also Patched
Adobe InDesign (APSB25‑79) and InCopy (APSB25‑80) received several critical patches covering heap overflows, use-after-free errors, and out-of-bounds writes.
InCopy Fixes:
- CVE-2025-54215 to CVE-2025-54223: All critical vulnerabilities allow arbitrary code execution
- Affected versions: InCopy 20.4 and 19.5.4, and earlier
- Updated versions: 20.5 and 19.5.5
InDesign Fixes:
- CVE-2025-54206 to CVE-2025-54228: Critical memory-related issues
- Updates are available through Creative Cloud or manual update channels
FrameMaker (APSB25‑83) was also updated to fix critical use-after-free bugs (CVE‑2025‑54229 to 54232) and a memory leak (CVE‑2025‑54233). The updates apply to the 2020 and 2022 releases.
Adobe Dimension Receives Low-Key But Necessary Fix
APSB25‑84 addresses a single, important memory leak vulnerability in Adobe Dimension (CVE‑2025‑54238). Though no exploits are known to exist in the wild, the vulnerability still warrants action. Users should move to version 4.1.4 across both Windows and macOS.
No Known Exploits But Risks Remain
The organization emphasized that it is not aware of any active exploits for the vulnerabilities disclosed in this Adobe security update. Nonetheless, the company strongly recommends updating to patched versions immediately.
Exploitable vulnerabilities such as buffer overflows, improper input validation, and use-after-free issues remain a serious concern even if not yet weaponized in the wild.
Research Contributions
Multiple independent researchers and security professionals contributed to the discovery and responsible disclosure of these Adobe vulnerabilities. Contributors included:
- Francis Provencher (prl)
- Jony (jony_juice)
- yjdfy
- voidexploit
- kaiksi, blaklis, akashhamal0x01, wohlie, and others
Their efforts were acknowledged in Adobe’s official bulletins.
Conclusion
With over 60 vulnerabilities addressed, the August Adobe security update is among the more extensive security update cycles in recent months. While none of the flaws have been publicly exploited as of this writing, the nature of many, especially those that enable code execution, means organizations and individuals should not delay applying the necessary patches.
Administrators managing enterprise deployments are advised to use the Adobe Admin Console or Creative Cloud Packager to implement updates across systems. For individual users, the Creative Cloud Desktop App provides access to the latest secure versions.
