InfoSecBulletin Cybersecurity for mankind
On Tuesday, Adobe released security updates for 254 vulnerabilities in its software, mainly affecting Experience Manager (AEM). There are 254 flaws, 225 of which are in AEM, affecting AEM Cloud Service and earlier versions up to 6.5.22. These have been addressed in AEM Cloud Service Release 2025.5 and version 6.5.23.
“Successful exploitation of these vulnerabilities could result in arbitrary code execution, privilege escalation, and security feature bypass,” Adobe said in an advisory.
Alert
Trend Micro Apex One Flaw Allow Attackers to Inject Malicious Code
Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Action
Adobe Releases Patch Fixing 254 Vulnerabilities With High-Severity Security Gaps
Alert
40,000 + live internet cameras exposed globally !
Microsoft patch Tuesday fix exploited zero-day and 65 vuls patched
84,000+ Roundcube instances vulnerable to actively exploited flaw
CVE-2025-24016
Critical Wazuh RCE Actively Exploited by Mirai Botnets
CISA Issues Seven Advisories for Industrial Control Systems (ICS)
ClickFix Attack Exploits Fake Cloudflare Human Check to Install Malware
Fortinet flaws now exploited in Qilin ransomware attacks
Nearly all 225 vulnerabilities are identified as cross-site scripting (XSS), consisting of stored XSS and DOM-based XSS, enabling potential arbitrary code execution.
Adobe has acknowledged Jim Green (green-jam), Akshay Sharma (anonymous_blackzero), and lpi for discovering XSS flaws.
The key flaw resolved in this month’s update is a code execution issue in Adobe Commerce and Magento Open Source.
CVE-2025-47110, scoring 9.1, is a critical reflected XSS vulnerability that can lead to arbitrary code execution. There’s also CVE-2025-43585 with a score of 8.2, an improper authorization issue that might result in a security bypass.
The following versions are impacted:
Adobe Commerce (2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier, and 2.4.4-p13 and earlier)
Adobe Commerce B2B (1.5.2 and earlier, 1.4.2-p5 and earlier, 1.3.5-p10 and earlier, 1.3.4-p12 and earlier, and 1.3.3-p13 and earlier)
Magento Open Source (2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier)
The remaining updates include four that fix code execution issues in Adobe InCopy (CVE-2025-30327, CVE-2025-47107, CVSS scores: 7.8) and in Substance 3D Sampler (CVE-2025-43581, CVE-2025-43588, CVSS scores: 7.8).
None of the bugs are publicly known or exploited, but users should update to the latest version for safety.
