Adobe has released security updates to fix a fresh set of security flaws, including multiple critical-severity bugs in ColdFusion versions 2025, 2023 and 2021 that could result in arbitrary file read and code execution.
Of the 30 flaws in the product, 11 are rated Critical in severity –
CVE-2025-24446 (CVSS score: 9.1) – An improper input validation vulnerability that could result in an arbitrary file system read
CVE-2025-24447 (CVSS score: 9.1) – A deserialization of untrusted data vulnerability that could result in arbitrary code execution
CVE-2025-30281 (CVSS score: 9.1) – An improper access control vulnerability that could result in an arbitrary file system read
CVE-2025-30282 (CVSS score: 9.1) – An improper authentication vulnerability that could result in arbitrary code execution
CVE-2025-30284 (CVSS score: 8.0) – A deserialization of untrusted data vulnerability that could result in arbitrary code execution
CVE-2025-30285 (CVSS score: 8.0) – A deserialization of untrusted data vulnerability that could result in arbitrary code execution
CVE-2025-30286 (CVSS score: 8.0) – An operating system command injection vulnerability that could result in arbitrary code execution
CVE-2025-30287 (CVSS score: 8.1) – An improper authentication vulnerability that could result in arbitrary code execution
CVE-2025-30288 (CVSS score: 7.8) – An improper access control vulnerability that could result in a security feature bypass
CVE-2025-30289 (CVSS score: 7.5) – An operating system command injection vulnerability that could result in arbitrary code execution
CVE-2025-30290 (CVSS score: 8.7) – A path traversal vulnerability that could result in a security feature bypass
“These updates resolve critical and important vulnerabilities that could lead to arbitrary file system read, arbitrary code execution and security feature bypass,” Adobe said in an advisory.
The vulnerabilities have been resolved in the below versions –
ColdFusion 2021 Update 19
ColdFusion 2023 Update 13, and
ColdFusion 2025 Update 1
Fixes have also been released to address several out-of-bounds write and heap-based buffer overflow bugs in After Effects (CVE-2025-27182, CVE-2025-27183), Media Encoder (CVE-2025-27194, CVE-2025-27195), Bridge (CVE-2025-27193), Premiere Pro (CVE-2025-27196), Photoshop (CVE-2025-27198), Animate (CVE-2025-27199), and FrameMaker (CVE-2025-30304, CVE-2025-30297, CVE-2025-30295) that could lead to arbitrary code execution.
Adobe also noted that it’s not aware of any exploits for any of the aforementioned shortcomings. That said, it’s essential that users update their installations to the latest version to safeguard against potential threats.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
“}]] The Hacker News
