Most Issues Found in Adobe Experience Manager, Users Urged to Update Immediately

Adobe has released a major round of security patches this week, fixing a total of 254 different vulnerabilities in several of its popular software products. The company said the majority of these flaws—225 in total—were found in Adobe Experience Manager (AEM), with most of them tied to different types of cross-site scripting (XSS) bugs. If left unpatched, these vulnerabilities could allow hackers to run harmful code, take over user privileges, or bypass key security protections.

The flaws affect both the AEM Cloud Service and earlier versions of the software, including all versions up to and including 6.5.22. Adobe says that the issues have been resolved in AEM Cloud Service Release 2025.5 and in the latest on-premises version, 6.5.23. These updates are now available and users are strongly encouraged to install them as soon as possible.

According to Adobe’s official advisory, almost all of the 225 AEM issues are variations of XSS attacks—specifically stored and DOM-based XSS. These types of bugs are particularly dangerous because they allow attackers to inject malicious scripts into web pages, which are then run when viewed by other users. In some cases, this can be used to execute code on a server, potentially giving attackers control over the system.

Three security researchers—Jim Green (also known as green-jam), Akshay Sharma (anonymous_blackzero), and someone going by the name “lpi”—have been credited with reporting the bulk of the AEM vulnerabilities to Adobe.

Adobe Commerce and Magento Also See Critical Fixes

Beyond AEM, Adobe also addressed several critical issues in its e-commerce platforms: Adobe Commerce and Magento Open Source. The most serious of these is a reflected XSS vulnerability tracked as CVE-2025-47110. This flaw has a CVSS severity rating of 9.1 out of 10, meaning it could be highly damaging if exploited. The issue could allow attackers to inject malicious scripts that run when users click on specially crafted links.

Another important vulnerability that was fixed, CVE-2025-43585, involves improper authorization. This bug could let attackers get around normal access restrictions, which could in turn open the door to further exploits or allow users to access parts of the system they shouldn’t be able to.

The affected versions of Adobe Commerce include 2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier, and 2.4.4-p13 and earlier. Adobe Commerce B2B versions up to 1.5.2 are also impacted, along with various earlier patch levels. Magento Open Source is similarly affected across multiple version branches.

InCopy and Substance 3D Sampler Also Get Security Patches

Adobe didn’t stop at AEM and its commerce products. The company also patched a small number of serious bugs in two of its other tools—InCopy and Substance 3D Sampler. Four separate vulnerabilities in these products were addressed, each of which could lead to remote code execution if a user opened a specially crafted file. These flaws were rated with a severity score of 7.8 out of 10, which is still considered high risk.

Even though Adobe has said that none of the fixed vulnerabilities have been exploited in the wild as of now, that doesn’t mean users should ignore the patches. Security experts often point out that attackers quickly start scanning for unpatched systems after updates like this are made public. So, applying the latest updates is the best way to stay protected.

Final Thoughts

This update from Adobe is one of the most comprehensive in recent memory, with hundreds of security flaws being addressed in a wide range of products. While the fixes are welcome, the large number of vulnerabilities—particularly in AEM—shows how important regular security checks and updates are for companies relying on Adobe’s software. If your organization uses any of the affected tools, don’t wait. Make sure you install the latest updates immediately to protect your systems and data from potential attacks.