Adobe Patches Critical RCE Flaws in FrameMaker Publishing, Commerce, and Magento
Adobe released security updates for multiple critical vulnerabilities affecting Adobe FrameMaker Publishing Server, Adobe Commerce, Magento Open Source, and the Adobe Commerce Webhooks extension. The most serious issues include CVE-2024-30299 and CVE-2024-30300 in FrameMaker Publishing Server and CVE-2024-34102 in Adobe Commerce and Magento, with severity reaching CVSS 10.0. Successful exploitation could allow arbitrary code execution, security feature bypass, and privilege escalation.
Adobe also issued critical fixes for Adobe Experience Manager, Creative Cloud Desktop, Photoshop, and Substance 3D Stager to address vulnerabilities that could enable code execution, unauthorized system access, and exposure of sensitive data. National cybersecurity authorities highlighted the breadth and severity of the flaws and urged organizations using affected Adobe products to apply vendor patches immediately in line with Adobe guidance.
Timeline
Jun 13, 2024
Adobe publishes additional critical updates across other product lines
Alongside the above fixes, Adobe also released critical security updates for Adobe Experience Manager, Adobe Creative Cloud Desktop, Adobe Photoshop, and Adobe Substance 3D Stager. These updates addressed vulnerabilities that could allow code execution, system access, or unauthorized access to data.
Jun 13, 2024
Adobe releases critical patches for FrameMaker, Commerce, and Magento
Adobe issued security updates for Adobe FrameMaker Publishing Server, Adobe Commerce, Magento Open Source, and the Adobe Commerce Webhooks extension to fix multiple critical vulnerabilities. The flaws included CVE-2024-30299 and CVE-2024-30300 in FrameMaker Publishing Server and CVE-2024-34102 in Adobe Commerce and Magento, with potential impacts including remote code execution, security feature bypass, and privilege escalation.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Critical Vulnerabilities Patched in Multiple Adobe Products Allowing Arbitrary Code Execution
Adobe released urgent security updates addressing over 35 vulnerabilities across a wide range of its products, with several flaws rated as critical due to their potential to allow arbitrary code execution. The most severe vulnerabilities affect Adobe Connect, Adobe Commerce, Magento Open Source, Creative Cloud Desktop, Bridge, Animate, and other widely used applications. Among the most critical issues are two DOM-based cross-site scripting (XSS) vulnerabilities in Adobe Connect, identified as CVE-2025-49553 and CVE-2025-49552, with CVSS scores of 9.3 and 7.3 respectively. These vulnerabilities could enable attackers to execute arbitrary code on targeted systems if exploited. Additionally, a moderate-severity open redirect vulnerability (CVE-2025-54196) was also patched in Adobe Connect. The vulnerabilities were disclosed by a security researcher known as Laish (a_l), and Adobe Connect users are specifically urged to update to version 12.10 for both Windows and macOS to mitigate these risks. Adobe Commerce and Magento Open Source, both critical e-commerce platforms, were also affected by high-risk vulnerabilities that could potentially compromise online stores. Other Adobe products receiving security updates include Creative Cloud, Bridge, Animate, Experience Manager, Substance 3D Viewer, Substance 3D Modeler, FrameMaker, Illustrator, Dimension, and Substance 3D Stager. Adobe has stated that, as of the time of the advisory, there is no evidence that these vulnerabilities have been exploited in the wild. Nevertheless, the company strongly recommends that all customers apply the updates immediately to prevent potential exploitation. The vulnerabilities span a variety of attack vectors, including XSS and open redirect, which could be leveraged for code execution or phishing attacks. The breadth of affected products highlights the widespread risk to organizations relying on Adobe’s software for collaboration, content creation, and e-commerce. Security advisories from both industry groups and Adobe emphasize the urgency of patching, especially for organizations using Adobe Connect and e-commerce platforms. The updates are part of Adobe’s regular security cycle, but the critical nature of several flaws makes this release particularly important. Organizations are advised to review their deployment of Adobe products and prioritize patching based on the severity and exposure of affected systems. The disclosure and rapid patching of these vulnerabilities underscore the ongoing need for vigilance and timely software updates in enterprise environments. Adobe’s response demonstrates a coordinated effort to address security risks across its product suite. The advisories provide detailed information on affected versions and recommended mitigation steps. Security teams should monitor for any signs of attempted exploitation and ensure that all relevant systems are updated promptly. The incident serves as a reminder of the persistent threat posed by software vulnerabilities in widely deployed applications.
1 months ago
Adobe March 2026 Security Updates Across Multiple Products
Adobe published its March 2026 security advisories covering **multiple vulnerabilities** across a broad set of products, with impacts including **remote code execution (RCE)**, **elevation of privilege**, **cross-site scripting (XSS)**, **information disclosure**, **denial of service**, and **security restriction bypass**. Products called out include **Adobe Commerce** (including *Adobe Commerce B2B* and *Magento Open Source*), **Illustrator**, **Acrobat/Reader**, **Premiere Pro**, **Experience Manager (AEM)**, **Substance 3D Painter**, **Substance 3D Stager**, and the **Adobe DNG SDK**. The Hong Kong CERT bulletin characterized the overall risk level of the March release as **Medium**, listing eight medium-risk product advisories (e.g., `APSB26-05`, `APSB26-18`, `APSB26-24`, `APSB26-26`). Canada’s Cyber Centre alert (**AV26-215**) echoed the same advisory set and provided affected version ranges (e.g., *Illustrator 2025* prior to 29.8.4/30.1, *Acrobat/Reader DC* prior to 25.001.21265, *Premiere Pro* prior to 25.5, *AEM* Cloud Service and 6.5 LTS/6.5 SP23 and prior, and *DNG SDK* prior to 1.7.1 build 2471), urging organizations to review Adobe’s advisories and apply the required updates.
1 months ago
Multiple Critical Vulnerabilities in Adobe Products Allowing Arbitrary Code Execution
Adobe released security advisories addressing multiple vulnerabilities across a range of its products, including ColdFusion, Adobe Experience Manager (AEM), DNG Software Development Kit (SDK), Acrobat, Acrobat Reader, and the Creative Cloud Desktop Application. The most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user, potentially enabling attackers to install programs, modify or delete data, or create new accounts with full user rights. Affected versions span ColdFusion 2025, 2023, and 2021, AEM Cloud Service and 6.5 LTS, DNG SDK 1.7.0 and prior, Acrobat and Acrobat Reader 2020 and 2024 for both Windows and Mac, and Creative Cloud Desktop Application 6.4.0.361 and earlier. Users and administrators are strongly encouraged to review the official advisories and apply the necessary updates to mitigate risk. Threat intelligence at the time of disclosure indicated no reports of these vulnerabilities being exploited in the wild. The advisories emphasize that users with administrative privileges are at greater risk if exploited, and recommend prompt patching to reduce exposure. Organizations relying on Adobe products for document management, web application development, or digital asset workflows should prioritize these updates to prevent potential compromise through remote code execution vulnerabilities.
1 months ago