Adobe has announced significant security updates to correct a total of 254 vulnerabilities affecting its software products, particularly targeting the Experience Manager (AEM). Released on June 10, 2025, the updates address flaws that could potentially allow for arbitrary code execution and privilege escalation.
Among the vulnerabilities, a staggering 225 are found within its AEM Cloud Service and all versions prior to and including 6.5.22. The company has released updates for AEM Cloud Service Release 2025.5 and version 6.5.23 to remediate these issues. The vast majority of these vulnerabilities are classified as cross-site scripting (XSS) concerns, particularly a mix of stored XSS and DOM-based XSS, which hackers could exploit to execute arbitrary code.
Adobe’s advisory highlighted the severity of the situation, stating, “Successful exploitation of these vulnerabilities could result in arbitrary code execution, privilege escalation, and security feature bypass.” The potential impact of these vulnerabilities underlines the importance of timely software updates to protect user data and system integrity.
Security researchers, including Jim Green (green-jam), Akshay Sharma (anonymous_blackzero), and lpi, were credited with identifying and reporting these crucial XSS vulnerabilities. Among the critical flaws addressed is CVE-2025-47110, rated with a CVSS score of 9.1, along with CVE-2025-43585, also noted for its potential to lead to security feature bypass.
The vulnerabilities affecting Adobe Commerce and Magento Open Source are particularly concerning, impacting multiple versions and emphasizing the necessity for users to stay updated. Other code execution flaws were also reported in Adobe InCopy and Substance 3D Sampler. Users are urged to adopt the latest versions to ensure the security of their applications.