Adobe December 2024 Patch Day

In December, Adobe put together updates to fix 167 mainly critical vulnerabilities, for example in Acrobat, Illustrator, InDesign, Photoshop and Animate.

The manufacturer has distributed 167 eliminated security vulnerabilities across 16 security bulletins. Acrobat and Reader, After Effects, Animate, Bridge, Connect, Experience Manager (AEM), FrameMaker, Illustrator, InDesign, Media Encoder, Photoshop, Premiere Pro, Substance 3D Modeler, Substance 3D Painter and Substance 3D Sampler are vulnerable. All programs have at least one vulnerability classified as critical.

Attacks that exploit one of the security vulnerabilities are not known to date. Adobe therefore assigns the lowest urgency level of 3 for all updates. The information always applies to Windows and macOS or all platforms.

The updates for the PDF tools Acrobat and Acrobat Reader by no means make up the largest part of the pre-Christmas security package from Mountain View, California. Adobe classifies two of the six eliminated security vulnerabilities as critical. Both CVE-2024-49530 and CVE-2024-49535 could be exploited with crafted PDF files to inject and execute code. In addition, there is a similar vulnerability (CVE-2024-49513) in the PDF Library Software Development Kit (PDFL SDK).

The biggest problem is Experience Manager (AEM) with 91 fixed security vulnerabilities, of which Adobe classifies one RCE hole as critical. The last AEM updates were in June, when Adobe had to close 144 vulnerabilities. In Connect, the manufacturer has eliminated 20 vulnerabilities, five of which are classified as critical. As with AEM, these are mostly XSS vulnerabilities.

Adobe classifies all 13 security vulnerabilities fixed in Animate as critical. All of them can allow an attacker to execute arbitrary code with user rights. In After Effects, the manufacturer has plugged a data leak that was classified as critical. In Illustrator 2024 and 2025, the manufacturer has plugged two vulnerabilities that it classifies as critical. In InDesign, updates eliminate nine vulnerabilities, three of which Adobe classifies as critical. In Photoshop 2025, Adobe has closed a Use after free vulnerability that was classified as critical.

Find all Adobe security bulletins here.