Adobe has released security updates to fix a fresh set of security flaws, including multiple critical-severity bugs in ColdFusion versions 2025, 2023 and 2021 that could result in arbitrary file read and code execution.
Of the 30 flaws in the product, 11 are rated Critical in severity –
- CVE-2025-24446 (CVSS score: 9.1) – An improper input validation vulnerability that could result in an arbitrary file system read
- CVE-2025-24447 (CVSS score: 9.1) – A deserialization of untrusted data vulnerability that could result in arbitrary code execution
- CVE-2025-30281 (CVSS score: 9.1) – An improper access control vulnerability that could result in an arbitrary file system read
- CVE-2025-30282 (CVSS score: 9.1) – An improper authentication vulnerability that could result in arbitrary code execution
- CVE-2025-30284 (CVSS score: 8.0) – A deserialization of untrusted data vulnerability that could result in arbitrary code execution
- CVE-2025-30285 (CVSS score: 8.0) – A deserialization of untrusted data vulnerability that could result in arbitrary code execution
- CVE-2025-30286 (CVSS score: 8.0) – An operating system command injection vulnerability that could result in arbitrary code execution
- CVE-2025-30287 (CVSS score: 8.1) – An improper authentication vulnerability that could result in arbitrary code execution
- CVE-2025-30288 (CVSS score: 7.8) – An improper access control vulnerability that could result in a security feature bypass
- CVE-2025-30289 (CVSS score: 7.5) – An operating system command injection vulnerability that could result in arbitrary code execution
- CVE-2025-30290 (CVSS score: 8.7) – A path traversal vulnerability that could result in a security feature bypass
“These updates resolve critical and important vulnerabilities that could lead to arbitrary file system read, arbitrary code execution and security feature bypass,” Adobe said in an advisory.
The vulnerabilities have been resolved in the below versions –
- ColdFusion 2021 Update 19
- ColdFusion 2023 Update 13, and
- ColdFusion 2025 Update 1
Fixes have also been released to address several out-of-bounds write and heap-based buffer overflow bugs in After Effects (CVE-2025-27182, CVE-2025-27183), Media Encoder (CVE-2025-27194, CVE-2025-27195), Bridge (CVE-2025-27193), Premiere Pro (CVE-2025-27196), Photoshop (CVE-2025-27198), Animate (CVE-2025-27199), and FrameMaker (CVE-2025-30304, CVE-2025-30297, CVE-2025-30295) that could lead to arbitrary code execution.
Adobe also noted that it’s not aware of any exploits for any of the aforementioned shortcomings. That said, it’s essential that users update their installations to the latest version to safeguard against potential threats.
