Adobe is closing several security vulnerabilities in various applications. In the worst case, attackers could execute malicious code. Vulnerabilities in AEM Forms, After Effects, AEM Screens, Animate, Bridge, ColdFusion, Commerce, FrameMaker, Media Encoder, Photoshop, Premiere Pro, and the XMP Toolkit SDK endanger PCs.

There are no reports that attackers are already exploiting any vulnerabilities. However, administrators should not delay installing the security updates. Admins can find further information about the vulnerabilities and mitigated versions in the warnings linked below this report.

Systems vulnerable to compromise

Most of the security vulnerabilities affect ColdFusion. Here, developers have closed four "critical" malware vulnerabilities (CVE-2025-24446, CVE-2025-24447, CVE-2025-30281, CVE-2025-30282), among others. The according warning does not specify what specific attacks might look like. Apparently, there are various potential vulnerabilities, such as insufficient input validation and invalid authentication.

The developers claim to have fixed the vulnerabilities in ColdFusion 2021 Update 19, ColdFusion 2023 Update 13, and ColdFusion 2025 Update 1.

Security patches available

Further malicious code attacks are possible on Animate and FrameMaker, among others. Attackers can trigger memory errors at these locations using unspecified methods. To prevent attacks, the developers have released Animate 2023 23.0.11 and Animate 2024 24.0.8 for macOS and Windows. FrameMaker has been secured in the FrameMaker 2020 Update 8 and FrameMaker 2022 Update 6 releases for Windows.

Attackers can also launch a malicious code attack in Photoshop (CVE-2025-27198 "high"). Photoshop 2024 25.12.2 and Photoshop 2025 26.5 have been fixed.

Adobe warnings

Animate Bridge ColdFusion Commerce Experience Manager Forms Experience Manager Screens FrameMaker Media Encoder Photoshop Premiere Pro XMP Toolkit SDK