Adobe Patches 254 Vulnerabilities — Majority in Experience Manager (AEM)

Published on 10 June 2025 at 17:34

On Tuesday, Adobe rolled out a critical security update patching a total of 254 vulnerabilities across its product suite, with a major focus on Adobe Experience Manager (AEM). This significant update addresses numerous high-severity issues that could be exploited for arbitrary code execution, privilege escalation, and security feature bypass.

🔧 AEM Takes the Biggest Hit

Out of the 254 vulnerabilities, a staggering 225 affect Adobe Experience Manager—specifically targeting both AEM Cloud Service and on-premise versions up to 6.5.22. Adobe has resolved these issues in AEM Cloud Service Release 2025.5 and version 6.5.23.

Most of the AEM-related vulnerabilities are cross-site scripting (XSS) issues, including a combination of stored XSS and DOM-based XSS. These flaws, if successfully exploited, could allow attackers to execute arbitrary code or compromise system integrity.

“Successful exploitation of these vulnerabilities could result in arbitrary code execution, privilege escalation, and security feature bypass,” said Adobe in their official advisory.

Credit for identifying and responsibly disclosing these flaws goes to security researchers Jim Green (green-jam), Akshay Sharma (anonymous_blackzero), and lpi.

⚠️ Critical Vulnerabilities in Adobe Commerce and Magento

Among the most severe issues patched in this release is a reflected XSS vulnerability (CVE-2025-47110, CVSS 9.1) in Adobe Commerce and Magento Open Source, which could result in arbitrary code execution. Additionally, Adobe addressed an improper authorization flaw (CVE-2025-43585, CVSS 8.2) that may allow security feature bypass.

Impacted versions include:

Adobe Commerce (2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier, 2.4.4-p13 and earlier)
Adobe Commerce B2B (1.5.2 and earlier, 1.4.2-p5 and earlier, 1.3.5-p10 and earlier, 1.3.4-p12 and earlier, 1.3.3-p13 and earlier)
Magento Open Source (2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier)

🖥️ Other Affected Products

Adobe also patched four code execution vulnerabilities:

Adobe InCopy (CVE-2025-30327, CVE-2025-47107 – CVSS 7.8)
Substance 3D Sampler (CVE-2025-43581, CVE-2025-43588 – CVSS 7.8)

Though none of the vulnerabilities are currently known to be exploited in the wild, Adobe strongly urges users and administrators to update to the latest versions immediately to reduce exposure and prevent potential attacks.

🛡️ Stay Secure: What to Do Now

To protect your systems:

Apply all updates immediately, especially if you use AEM, Adobe Commerce, or Magento.
Audit your software inventory to remove outdated or unused applications.
Enable automatic updates where possible to stay ahead of emerging threats.
Monitor vendor advisories and threat intelligence feeds regularly.

CyberTech Guard will continue to monitor Adobe's updates and other major vendor releases to keep you informed and secure.

📌 Stay patched. Stay protected.

« Previous OpenAI’s Bold Move: Banning ChatGPT Accounts Linked to State-Aligned Hacker Groups Ex-Black Basta Hackers Strike Back in 2025 with Microsoft Teams Phishing and Python-Powered Attacks Next »

Add comment

Comments

There are no comments yet.