Critical vulnerabilities found in Photoshop, Premiere Pro, and multiple other Adobe products


Threat actors can exploit some of the most popular creative Adobe applications to take over Windows and macOS machines.

Eight Adobe products – Photoshop, Illustrator, Premiere Pro, After Effects, ColdFusion, Acrobat Reader, Audition, and Media Encoder – recently received updates patching critical, important, and moderate security vulnerabilities.

The US Cybersecurity and Infrastructure Security Agency (CISA) warns that cyber threat actors could exploit some of them to take control of affected systems and urges users to apply the necessary updates.

ADVERTISEMENT

According to Adobe bulletins:

  • Adobe Photoshop updates resolvefour critical vulnerabilities with a severity rating of 7.8 out of 10, and one important out-of-bounds Read vulnerability. These could be exploited to run arbitrary code and leak memory. Affected versions include Photoshop 2023 (24.7.4 and earlier versions) and Photoshop 2024 (25.11 and earlier versions) on Windows and MacOS.
  • Adobe ColdFusion update fixes a critical vulnerability with a severity rating of 9.8 out of 10, which could lead to attackers running arbitrary code. Affected versions are ColdFusion 2023 (Update 9 and earlier versions) and ColdFusion 2021 (Update 15 and earlier versions).
  • Adobe Acrobat and Reader for Windows and macOS are affected by two critical vulnerabilities, these have ratings of 7.8 and 8.6 out of 10 and allow remote code execution.
  • Adobe Illustrator updates fix six vulnerabilities in total. Four are critical, with a severity score of 7.8 out of 10, and allow arbitrary code execution. One vulnerability is labeled as important, as it may lead to memory leak, and the last one is moderate and could be used for denial of service. Affected versions include Illustrator 2024 (28.6 and earlier versions) and Illustrator 2023 (27.9.5 and earlier versions) on both Windows and macOS platforms.
  • Adobe Premiere Pro updates address two vulnerabilities. One is critical, with a severity score of 7.8 out of 10, and allows arbitrary code execution. The other vulnerability is labeled as moderate and could lead to memory leak. Affected versions include Premiere Pro 2024 (24.5 and earlier versions) and Premiere Pro 2023 (23.6.8 and earlier versions) on both Windows and macOS platforms.
  • Adobe After Effects versions 24.5 and earlier and 23.6.6 and earlier are affected by five vulnerabilities: three critical (7.8 out of 10), one important, and one moderate. If not patched, Attackers could also exploit them to run arbitrary code, leak memory, and write arbitrary files in the context of the current user.
  • Adobe Audition updates for Windows and macOS resolve critical and important vulnerabilities that enable leaking memory and arbitrary code execution.
  • Adobe Media Encoder versions prior to the patch are vulnerable to similar arbitrary code execution and memory leak vulnerabilities.

In all cases, Adobe recommends users update their software installations to the latest versions. According to the company, attackers have not yet targeted the discovered vulnerabilities. Adobe thanked researchers for disclosing the issues.