Full Report
Adobe on Tuesday pushed security updates to address a total of 254 security flaws impacting its software products, a majority of which affect Experience Manager (AEM). Of the 254 flaws, 225 reside in AEM, impacting AEM Cloud Service (CS) as well as all versions prior to and including 6.5.22. The issues have been resolved in AEM Cloud Service Release 2025.5 and version 6.5.23. "Successful
Analysis Summary
# Vulnerability: Adobe Security Updates Patching 254 Flaws (Including Critical XSS in Commerce)
## CVE Details
* **CVE ID:** CVE-2025-47110 (Critical in Adobe Commerce)
* **CVSS Score:** 9.1 ($\text{Critical}$) for CVE-2025-47110. Other listed scores/severities are 8.2 ($\text{High}$) for CVE-2025-43585, and 7.8 ($\text{High}$) for several InCopy/Sampler flaws.
* **CWE:** Reflected Cross-Site Scripting (for CVE-2025-47110). Many AEM flaws are Cross-Site Scripting (stored and DOM-based).
## Affected Systems
* **Products:** Adobe Experience Manager (AEM), Adobe Commerce, Magento Open Source, Adobe Commerce B2B, Adobe InCopy, Adobe Substance 3D Sampler.
* **Versions:**
* **AEM:** All versions prior to and including 6.5.22; AEM Cloud Service (CS).
* **Adobe Commerce/Magento Open Source:**
* Adobe Commerce/Magento Open Source versions: 2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier, and 2.4.4-p13 and earlier.
* Adobe Commerce B2B versions: 1.5.2 and earlier, 1.4.2-p5 and earlier, 1.3.5-p10 and earlier, 1.3.4-p12 and earlier, and 1.3.3-p13 and earlier.
* **InCopy/Substance 3D Sampler:** Specific vulnerable versions are implied by the patch release but not explicitly listed in the provided text, only the CVEs are listed.
* **Configurations:** Not specified beyond the product versions listed.
## Vulnerability Description
Adobe released updates to address 254 security vulnerabilities across its product line.
1. **Adobe Experience Manager (AEM):** 225 vulnerabilities, mostly Cross-Site Scripting (XSS) variants (Stored and DOM-based), which could lead to arbitrary code execution, privilege escalation, and security feature bypass.
2. **Adobe Commerce/Magento:** A critical **Reflected XSS** vulnerability (CVE-2025-47110) that allows for **arbitrary code execution**. An improper authorization flaw (CVE-2025-43585) could lead to security feature bypass.
3. **InCopy & Substance 3D Sampler:** Multiple code execution flaws (CVE-2025-30327, CVE-2025-47107, CVE-2025-43581, CVE-2025-43588).
## Exploitation
* **Status:** None of the listed bugs have been stated as publicly known or exploited in the wild.
* **Complexity:** The nature of the severity scores (up to 9.1) suggests that some vulnerabilities may have relatively low exploitation complexity, particularly the XSS vectors.
* **Attack Vector:** Given the XSS focus, execution is likely Network/Web-based, though specific vectors for privilege escalation/arbitrary code execution are not detailed.
## Impact
* **Confidentiality:** Potential impact due to arbitrary code execution and privilege escalation.
* **Integrity:** Potential impact due to arbitrary code execution.
* **Availability:** Potential impact due to privilege escalation or system compromise.
## Remediation
### Patches
* **AEM:** Patched in **AEM Cloud Service Release 2025.5** and **version 6.5.23**.
* **Adobe Commerce/Magento:** Patches are available for the listed affected versions (users should update to the latest secure maintenance releases).
* **InCopy/Substance 3D Sampler:** Patches are available corresponding to the listed CVEs.
### Workarounds
No specific workarounds were mentioned in the summary; immediate patching is advised.
## Detection
* **Indicators of Compromise:** Not specified, but for XSS vulnerabilities leading to code execution, monitoring for unusual script execution, unauthorized configuration changes, or unexpected outbound network connections from web application servers would be relevant.
* **Detection Methods and Tools:** Organizations should primarily rely on applying vendor updates. Monitoring application server logs for exploit attempts targeting known input vectors related to XSS or authorization checks is recommended.
## References
* Vendor Advisory (AEM): helpx dot adobe com/security/products/experience-manager/apsb25-48 dot html
* Vendor Advisory (Commerce): helpx dot adobe com/security/products/magento/apsb25-50 dot html
* Vendor Advisory (InCopy): helpx dot adobe com/security/products/incopy/apsb25-41 dot html
* Vendor Advisory (Sampler): helpx dot adobe com/security/products/substance3d-sampler/apsb25-55 dot html
* General Security Updates Link: helpx dot adobe com/security dot html