Adobe has rolled out a big round of security updates addressing more than 20 vulnerabilities-some of them critical-in ColdFusion versions 2025, 2023, and 2021.

These vulnerabilities could allow attackers to read arbitrary files or execute malicious code on affected systems.

Among the 30 vulnerabilities identified in ColdFusion, 11 have been classified as critical, including:

  • CVE-2025-24446 (CVSS 9.1): Improper input validation enabling arbitrary file system read
  • CVE-2025-24447 (CVSS 9.1): Unsafe deserialization that could allow arbitrary code execution
  • CVE-2025-30281 (CVSS 9.1): Improper access control leading to file system exposure
  • CVE-2025-30282 (CVSS 9.1): Authentication flaws that could lead to arbitrary code execution
  • CVE-2025-30284 to CVE-2025-30287 (CVSS 8.0–8.1): Deserialization and command injection bugs allowing code execution
  • CVE-2025-30288 (CVSS 7.8): Access control issue enabling security feature bypass
  • CVE-2025-30289 (CVSS 7.5): Command injection vulnerability leading to code execution
  • CVE-2025-30290 (CVSS 8.7): Path traversal vulnerability resulting in a bypass of security mechanisms

The issues have been addressed in the following ColdFusion updates:

      • ColdFusion 2021 Update 19
      • ColdFusion 2023 Update 13
      • ColdFusion 2025 Update 1

Moreover, Adobe has patched several buffer overflow and memory corruption vulnerabilities across its creative cloud suite. These include:

        • After Effects (CVE-2025-27182, CVE-2025-27183)
        • Media Encoder (CVE-2025-27194, CVE-2025-27195)
        • Bridge (CVE-2025-27193)
        • Premiere Pro (CVE-2025-27196)
        • Photoshop (CVE-2025-27198)
        • Animate (CVE-2025-27199)
        • FrameMaker (CVE-2025-30304, CVE-2025-30297, CVE-2025-30295)

All of these could potentially allow attackers to execute arbitrary code. As of now, adobe says it has not observed any exploitation of these vulnerabilities. However, users are need to install the latest updates as soon as possible to minimize their exposure to security threats.

Follow us on X and Linkedin for the latest cybersecurity news