In its latest May release, Adobe released 13 security bulletins while addressing 40 CVEs in its products like Lighthouse, Dreamweaver, Connect, InDesign, Photoshop, Animate, Bridge, and more. This advisory had 32 Critical and 8 Important Rated vulnerabilities. These updates aims to mitigate risks such as arbitrary code execution, privilege escalation, and security feature bypasses.
Coldfusion, Adobe’s commercial web application development platform, was also impacted by 7 Critical and 1 Important rated vulnerability. The updates are released for Coldfusion versions 2025, 2023, and 2021. Despite confirming that no active exploits have been detected for the vulnerabilities, Adobe has classified the ColdFusion updates as a Priority 1 due to the potential severity of the issues addressed.
The desktop versions of InDesign, including ID19.5.2, ID20.2, and earlier, were impacted by a critical vulnerability that allowed an out-of-bounds write, along with two significant NULL Pointer Dereference vulnerabilities. This critical out-of-bounds write flaw could allow arbitrary code execution with the current user’s privileges.
Photoshop, one of the most widely used and iconic products in the creative software industry, also received significant security updates in this month’s patch release. The advisory addresses three critical vulnerabilities that, if exploited, could enable attackers to execute arbitrary code. Adobe Illustrator, another flagship product in Adobe’s creative suite, received updates for a critical heap-based buffer overflow vulnerability, which, if exploited, could enable attackers to execute arbitrary code by tricking users into opening a specially crafted malicious file.
The company also addressed critical arbitrary code execution vulnerabilities in several products, including Adobe Lightroom, Dreamweaver, Connect, Substance 3D Painter, and Animate, to enhance security across its software suite. Adobe has reported that no active exploits of these vulnerabilities were observed in the wild at the time of this release. However, given the nature of the flaws, many of which could be exploited remotely with minimal user input, Users and IT teams are urged to update affected products without delay.
