Adobe has issued a set of security updates addressing more than 35 vulnerabilities across its product portfolio. These updates include fixes for several critical flaws affecting widely used applications such as Adobe Connect, Adobe Commerce, Magento Open Source, Creative Cloud Desktop, Bridge, Animate, and others.
Among the most pressing issues addressed is CVE-2025-49553, a critical DOM-based cross-site scripting (XSS) vulnerability in Adobe Connect, rated 9.3 on the CVSS scale. This vulnerability could allow attackers to execute arbitrary code on targeted systems.
A second critical XSS flaw in Adobe Connect, CVE-2025-49552, was also identified. Adobe Connect version 12.10 for Windows and macOS resolves both vulnerabilities, along with a moderate-severity open redirect issue (CVE-2025-54196).
Despite no evidence of these vulnerabilities being actively exploited, Adobe has urged users to update immediately. “We recommend all customers deploy these updates as soon as possible,” the company said in its advisory.
Adobe Connect: Primary Focus of the October Update
The Adobe security update most critical this cycle revolves around Adobe Connect, a virtual conferencing platform used across industries. Three distinct vulnerabilities were patched:
- CVE-2025-49553: DOM-based XSS – Critical (CVSS 9.3)
- CVE-2025-49552: DOM-based XSS – Critical (CVSS 7.3)
- CVE-2025-54196: Open Redirect – Moderate
These vulnerabilities were disclosed by a researcher known as Laish (a_l). Users are urged to update to version 12.10 to mitigate the risk of exploitation.
Commerce and Magento Open Source: High-Risk Targets
Adobe’s e-commerce platforms, Adobe Commerce and Magento Open Source, also received attention. Five vulnerabilities were addressed in bulletin APSB25-94, including:
- CVE-2025-54263: Improper Access Control – Critical
- CVE-2025-54264 & CVE-2025-54266: Stored XSS – Critical/Important
- CVE-2025-54265 & CVE-2025-54267: Incorrect Authorization – Important
These flaws could enable attackers to escalate privileges or bypass authentication controls. Affected versions range from 2.4.4 to 2.4.9 for Commerce and Magento Open Source, as well as Commerce B2B editions 1.3.3 to 1.5.3. Adobe has marked this update with a priority rating of 2, indicating a higher likelihood of real-world exploitation compared to other products.
Creative Tools: High-Severity Vulnerabilities Across the Board
Adobe’s Creative Suite was not spared, with critical vulnerabilities fixed across multiple tools, including:
- Substance 3D Stager
- Dimension
- Illustrator
- FrameMaker
- Substance 3D Modeler
- Substance 3D Viewer
- Bridge
- Animate
Each of these updates addressed high-severity bugs, mainly use-after-free, out-of-bounds read/write, heap-based buffer overflows, and integer overflows. While most were scored 7.8 (CVSS), Adobe classified them as critical due to their potential to lead to arbitrary code execution.
For instance, Adobe Animate patched four vulnerabilities:
- CVE-2025-54279 (Use After Free – Critical)
- CVE-2025-61804 (Buffer Overflow – Critical)
- CVE-2025-54269 (Out-of-bounds Read – Important)
- CVE-2025-54270 (NULL Pointer Dereference – Important)
Updates are available for Animate 2023 (v23.0.15) and Animate 2024 (v24.0.12), accessible through the Creative Cloud desktop app or enterprise deployment tools.
Priority Ratings and Risk Management
Adobe employs a priority rating system to help users assess the urgency of each update. Most of the October 14 patches were rated as Priority 3, meaning exploitation is unlikely in the near term. However, updates for Commerce and Magento Open Source were marked Priority 2, suggesting an increased risk of attack due to the public exposure of these platforms.
Although none of the disclosed vulnerabilities have been exploited in the wild, Adobe strongly advises all users, both individuals and enterprises, to deploy the patches as a proactive measure.
Security updates are available via the Creative Cloud Desktop application for individual users, while enterprise environments can deploy patches through the Adobe Admin Console.
