Adobe Patches for July 2025
For July, Adobe (eventually) released 13 bulletins addressing 60 unique CVEs in Adobe ColdFusion, After Effects, Substance 3D Viewer, Audition, InCopy, InDesign, Connect, Dimension, Substance 3D Stager, Illustrator, FrameMaker, Experience Manager Forms, and Experience Manager Screens. The obvious place to start here is
ColdFusion. It’s the only update listed as Priority 1 and addresses 13 CVEs, five of which are rated Critical. ColdFusion should probably be considered “legacy” at this point. If you’re still using it, you should think about migrating to something more modern. The patch for
FrameMaker is also somewhat large. It fixes 15 CVEs – including 13 Critical bugs that could lead to code execution. The only other double-digit CVE bulletin is for
Illustrator with 10 bugs. The most severe of these bugs could lead to code execution.
The remaining patches are much smaller. The
After Effects patch fixes two Important severity bugs. The fix for
Substance 3D Viewer addresses one Critical and two Important vulnerabilities. There’s a single denial-of-service (DoS) bug fixed in the
Audition patch. The update for
InCopy includes three Critical-rated bugs that could lead to code execution. The fixes for
InDesign correct six similar Critical bugs. There’s just a single Critical bug in the patch for
Connect. That’s the same for the
Experience Manager Forms patch. The update for
Substance 3D Stager corrects a single memory leak. The patch for
Dimension also includes a memory leak fix and a Critical-rated code execution bug. Finally, the update for
Experience Manager Screens addresses two cross-site scripting (XSS) bugs.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Besides the patch for ColdFusion, all updates are listed as deployment priority 3.
