Adobe Patches Critical ColdFusion and Commerce Vulnerabilities – Source: www.securityweek.com

Adobe has patched nearly two dozen vulnerabilities across nine of its products with its September 2025 Patch Tuesday updates, including critical flaws in ColdFusion and Commerce.

The critical ColdFusion vulnerability, tracked as CVE-2025-54261 with a CVSS score of 9.0, has been described as a path traversal issue that can lead to an arbitrary file system write. It impacts ColdFusion 2021, 2023, and 2025 on all platforms. 

Adobe says it’s not aware of any in-the-wild exploitation of CVE-2025-54261, but assigned the flaw a priority rating of ‘1’, which indicates that it should be addressed as soon as possible (within 72 hours is recommended). 

It’s not uncommon for threat actors to exploit ColdFusion vulnerabilities in attacks. The most recent is CVE-2024-20767, patched by Adobe in March 2024 and reported as being exploited in December 2024. 

Internet scans show hundreds of thousands of ColdFusion instances exposed to the web and possibly vulnerable to attacks. 

The critical vulnerability fixed in Commerce, as well as in Magento Open Source, is CVE-2025-54236, which can be exploited by an unauthenticated attacker to bypass a security feature. Magento vulnerabilities are also often exploited in the wild. 

Adobe patched high-severity vulnerabilities in Acrobat Reader, Premiere Pro, Substance 3D Viewer, Experience Manager (AEM), Dreamweaver, and Substance 3D Modeler. These security holes can allow arbitrary code execution and security feature bypasses. 

It’s worth noting that these flaws are listed as ‘critical’ in Adobe’s advisories, but they are ‘high severity’ based on their CVSS score. 

Medium- and low-severity issues have been resolved in Acrobat Reader, Experience Manager (AEM), and After Effects. They can lead to a security feature bypass or memory exposure.

The high- and medium-severity flaws have a priority rating of ‘3’, which indicates that Adobe does not expect them to be exploited in attacks.

Microsoft has fixed 86 vulnerabilities with its latest Patch Tuesday updates.

Related: Adobe Patches ColdFusion Flaw at High Risk of Exploitation

Related: Adobe Patches Over 60 Vulnerabilities Across 13 Products

Related: Adobe Issues Out-of-Band Patches for AEM Forms Vulnerabilities With Public PoC