CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

Adobe Patches Critical ColdFusion and Commerce Vulnerabilities

Adobe has patched nearly two dozen vulnerabilities across nine of its products with its September 2025 Patch Tuesday updates. The post Adobe Patches Critical ColdFusion and Commerce Vulnerabilities appeared first on SecurityWeek.

Adobe vulnerabilities

Adobe has patched nearly two dozen vulnerabilities across nine of its products with its September 2025 Patch Tuesday updates, including critical flaws in ColdFusion and Commerce.

The critical ColdFusion vulnerability, tracked as CVE-2025-54261 with a CVSS score of 9.0, has been described as a path traversal issue that can lead to an arbitrary file system write. It impacts ColdFusion 2021, 2023, and 2025 on all platforms. 

Adobe says it’s not aware of any in-the-wild exploitation of CVE-2025-54261, but assigned the flaw a priority rating of ‘1’, which indicates that it should be addressed as soon as possible (within 72 hours is recommended). 

It’s not uncommon for threat actors to exploit ColdFusion vulnerabilities in attacks. The most recent is CVE-2024-20767, patched by Adobe in March 2024 and reported as being exploited in December 2024. 

Internet scans show hundreds of thousands of ColdFusion instances exposed to the web and possibly vulnerable to attacks. 

The critical vulnerability fixed in Commerce, as well as in Magento Open Source, is CVE-2025-54236, which can be exploited by an unauthenticated attacker to bypass a security feature. Magento vulnerabilities are also often exploited in the wild. 

Security firm Sansec said Adobe’s patch for CVE-2025-54236 was accidentally leaked last week and attackers may already be working on weaponizing it. Sansec dubbed the vulnerability SessionReaper and warned that it could lead to account takeover and unauthenticated remote code execution under certain conditions.

Adobe patched high-severity vulnerabilities in Acrobat Reader, Premiere Pro, Substance 3D Viewer, Experience Manager (AEM), Dreamweaver, and Substance 3D Modeler. These security holes can allow arbitrary code execution and security feature bypasses. 

It’s worth noting that these flaws are listed as ‘critical’ in Adobe’s advisories, but they are ‘high severity’ based on their CVSS score. 

Medium- and low-severity issues have been resolved in Acrobat Reader, Experience Manager (AEM), and After Effects. They can lead to a security feature bypass or memory exposure.

The high- and medium-severity flaws have a priority rating of ‘3’, which indicates that Adobe does not expect them to be exploited in attacks.

Microsoft has fixed 86 vulnerabilities with its latest Patch Tuesday updates.

*updated with information from Sansec

Related: Adobe Patches ColdFusion Flaw at High Risk of Exploitation

Related: Adobe Patches Over 60 Vulnerabilities Across 13 Products

Related: Adobe Issues Out-of-Band Patches for AEM Forms Vulnerabilities With Public PoC

Latest News

CYBERNEWSMEDIAPublisher