Adobe has issued a major set of security updates aimed at patching multiple critical vulnerabilities in ColdFusion and several popular Creative Cloud applications. These newly disclosed flaws—some with severity ratings above 9 on the CVSS scale. This could allow attackers to execute malicious code, read arbitrary files, or bypass important security protections if left unpatched.
In total, Adobe fixed 30 security issues in ColdFusion versions 2021, 2023, and the newly released 2025. Eleven of those vulnerabilities are considered critical, with risks ranging from arbitrary file reads to remote code execution. The most severe issues include CVE-2025-24446 and CVE-2025-24447, both scoring 9.1 on the CVSS scale. These stem from improper input validation and insecure deserialization, leaving systems open to serious compromise.
Additional high-severity bugs patched in this release include CVE-2025-30281 and CVE-2025-30282, which impact access control and authentication mechanisms. Both flaws could lead to full code execution or exposure of sensitive data stored on the file system. Several other vulnerabilities scored in the high-to-critical range, including operating system command injection and path traversal issues.
The ColdFusion updates are now available for the following versions:
- 2021 Update 19
- 2023 Update 13
- 2025 Update 1
Adobe urges all users to upgrade immediately, especially those running applications exposed to the internet or handling sensitive workloads. These patches close multiple loopholes that cybercriminals could use to breach server environments or launch targeted exploits.
Beyond ColdFusion, Adobe also pushed out updates to address security weaknesses in a range of Creative Cloud products, including After Effects, Media Encoder, Bridge, Premiere Pro, Photoshop, Animate, and FrameMaker. These fixes target flaws like heap-based buffer overflows and out-of-bounds write bugs, all of which could be exploited to execute arbitrary code.
For example, After Effects and Media Encoder were found vulnerable to memory corruption bugs (CVE-2025-27182 through CVE-2025-27195), while FrameMaker had multiple flaws (CVE-2025-30304, CVE-2025-30297, CVE-2025-30295) capable of triggering remote code execution.
At this time, Adobe says it has not detected any active exploitation of these issues in the wild. Still, the company recommends users act quickly. These updates are designed to prevent future attacks by proactively closing serious security gaps.
As cyber threats evolve and software vulnerabilities become more valuable to attackers, applying security patches without delay has never been more important. Keeping your Adobe products updated not only protects data and system integrity—it helps reduce the risk of falling victim to ransomware, data theft, or other costly breaches.
