Adobe has issued a set of security updates addressing more than 35 vulnerabilities across its product portfolio. These updates include fixes for several critical flaws affecting widely used applications such as Adobe Connect, Adobe Commerce, Magento Open Source, Creative Cloud Desktop, Bridge, Animate, and others.  Among the most pressing issues addressed is CVE-2025-49553, a critical DOM-based cross-site scripting (XSS) vulnerability in Adobe Connect, rated 9.3 on the CVSS scale. This vulnerability could allow attackers to execute arbitrary code on targeted systems. A second critical XSS flaw in Adobe Connect, CVE-2025-49552, was also identified. Adobe Connect version 12.10 for Windows and macOS resolves both vulnerabilities, along with a moderate-severity open redirect issue (CVE-2025-54196).  Despite no evidence of these vulnerabilities being actively exploited, Adobe has urged users to update immediately. "We recommend all customers deploy these updates as soon as possible," the company said in its advisory. 

Adobe Connect: Primary Focus of the October Update 

The Adobe security update most critical this cycle revolves around Adobe Connect, a virtual conferencing platform used across industries. Three distinct vulnerabilities were patched: 

• CVE-2025-49553: DOM-based XSS – Critical (CVSS 9.3) 
• CVE-2025-49552: DOM-based XSS – Critical (CVSS 7.3) 
• CVE-2025-54196: Open Redirect – Moderate 

These vulnerabilities were disclosed by a researcher known as Laish (a_l). Users are urged to update to version 12.10 to mitigate the risk of exploitation. 

Commerce and Magento Open Source: High-Risk Targets 

Adobe’s e-commerce platforms, Adobe Commerce and Magento Open Source, also received attention. Five vulnerabilities were addressed in bulletin APSB25-94, including: 

• CVE-2025-54263: Improper Access Control – Critical 
• CVE-2025-54264 & CVE-2025-54266: Stored XSS – Critical/Important 
• CVE-2025-54265 & CVE-2025-54267: Incorrect Authorization – Important 

These flaws could enable attackers to escalate privileges or bypass authentication controls. Affected versions range from 2.4.4 to 2.4.9 for Commerce and Magento Open Source, as well as Commerce B2B editions 1.3.3 to 1.5.3. Adobe has marked this update with a priority rating of 2, indicating a higher likelihood of real-world exploitation compared to other products. 

Creative Tools: High-Severity Vulnerabilities Across the Board 

Adobe’s Creative Suite was not spared, with critical vulnerabilities fixed across multiple tools, including: 

• Substance 3D Stager 
• Dimension 
• Illustrator 
• FrameMaker 
• Substance 3D Modeler 
• Substance 3D Viewer 
• Bridge 
• Animate 

Each of these updates addressed high-severity bugs, mainly use-after-free, out-of-bounds read/write, heap-based buffer overflows, and integer overflows. While most were scored 7.8 (CVSS), Adobe classified them as critical due to their potential to lead to arbitrary code execution.  For instance, Adobe Animate patched four vulnerabilities: 

• CVE-2025-54279 (Use After Free – Critical) 
• CVE-2025-61804 (Buffer Overflow – Critical) 
• CVE-2025-54269 (Out-of-bounds Read – Important) 
• CVE-2025-54270 (NULL Pointer Dereference – Important) 

Updates are available for Animate 2023 (v23.0.15) and Animate 2024 (v24.0.12), accessible through the Creative Cloud desktop app or enterprise deployment tools. 

Priority Ratings and Risk Management 

[caption id="attachment_106031" align="alignnone" width="842"] Adobe Security Update (Source: Cyble)[/caption] Adobe employs a priority rating system to help users assess the urgency of each update. Most of the October 14 patches were rated as Priority 3, meaning exploitation is unlikely in the near term. However, updates for Commerce and Magento Open Source were marked Priority 2, suggesting an increased risk of attack due to the public exposure of these platforms.  Although none of the disclosed vulnerabilities have been exploited in the wild, Adobe strongly advises all users, both individuals and enterprises, to deploy the patches as a proactive measure.   Security updates are available via the Creative Cloud Desktop application for individual users, while enterprise environments can deploy patches through the Adobe Admin Console. 

Microsoft’s Patch Tuesday October 2025 included fixes for 175 vulnerabilities, including three exploited zero-days and 13 additional high-risk vulnerabilities. The three zero-days under attack were quickly added to CISA’s Known Exploited Vulnerabilities (KEV) database. One of those vulnerabilities is CVE-2025-59230, a 7.8-severity Elevation of Privilege vulnerability in Windows Remote Access Connection Manager. Microsoft notes that “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) were credited with the vulnerability discovery. The second zero-day added to CISA KEV is CVE-2025-24990, a 7.8-rated Elevation of Privilege vulnerability in Windows Agere Modem Driver, a third-party driver that ships natively with supported Windows operating systems. The ltmdm64.sys driver has been removed in the October cumulative update. “Fax modem hardware dependent on this specific driver will no longer work on Windows,” Microsoft noted, adding that users should remove “any existing dependencies on this hardware.” CVE-2025-47827, a 4.6-rated Secure Boot bypass in IGEL OS before 11, was also labeled “exploitation detected” by Microsoft and added to the CISA KEV database. The October 2025 update is also the last for Windows 10, which has reached end-of-life and is no longer supported. Other vendors issuing Patch Tuesday fixes today include Ivanti, Adobe, Fortinet, Veeam and SAP. The SAP updates include two maximum-severity SAP NetWeaver fixes.

Patch Tuesday October 2025: Two 9.8 Vulnerabilities

The 13 Microsoft vulnerabilities labeled “exploitation more likely” included two 9.8-severity vulnerabilities. CVE-2025-59287 is a 9.8-rated Remote Code Execution vulnerability in Windows Server Update Service (WSUS). “Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network,” Microsoft said. “A remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism, resulting in remote code execution.” The attack complexity is low and it requires no privileges or user interaction. Microsoft acknowledged “MEOW” for the contribution, with no other identifying information CVE-2025-59246 is a 9.8-rated Azure Entra ID Elevation of Privilege vulnerability that requires no customer action to resolve, Microsoft credited Dylan Ryan-Zilavy for the find.

Other High-risk Vulnerabilities

The other 11 Microsoft vulnerabilities at elevated risk of exploitation include: CVE-2025-24052, a 7.8-rated Windows Agere Modem Driver Elevation of Privilege vulnerability CVE-2025-59199, a 7.8-severity Software Protection Platform (SPP) Elevation of Privilege vulnerability. “Improper access control in Software Protection Platform (SPP) allows an authorized attacker to elevate privileges locally,” Microsoft noted. CVE-2025-58722, a 7.8-rated Microsoft DWM Core Library Elevation of Privilege vulnerability. The heap-based buffer overflow vulnerability could allow an authorized attacker to elevate privileges locally. CVE-2025-55694, a 7.8-severity Windows Error Reporting Service Elevation of Privilege vulnerability involving improper access control, which could allow an authorized attacker to elevate privileges locally. CVE-2025-55692, a 7.8-rated Windows Error Reporting Service Elevation of Privilege vulnerability involving improper input validation, which could allow an authorized attacker to elevate privileges locally. CVE-2025-55680, a 7.8-severity Windows Cloud Files Mini Filter Driver Elevation of Privilege vulnerability. A time-of-check time-of-use (TOCTOU) race condition could allow an authorized attacker to elevate privileges locally. CVE-2025-59194, a 7.0-rated Windows Kernel Elevation of Privilege vulnerability. Use of an uninitialized resource in the Windows Kernel could allow an authorized attacker to elevate privileges locally. CVE-2025-59502, a 7.5-severity Remote Procedure Call Denial of Service vulnerability. Uncontrolled resource consumption in Windows Remote Procedure Call could allow an unauthorized attacker to deny service over a network. CVE-2025-55693, a 7.4-rated Elevation of Privilege/Use After Free vulnerability in Windows Kernel could allow an unauthorized attacker to elevate privileges locally. CVE-2025-48004, a 7.4-severity Elevation of Privilege/Use After Free vulnerability in the Microsoft Brokering File System could allow an unauthorized attacker to elevate privileges locally. CVE-2025-55681, a 7.0-rated Desktop Windows Manager (DWM) Elevation of Privilege/ Out-of-Bounds Read vulnerability could allow an authorized attacker to elevate privileges locally.  

Microsoft today released updates to fix at least 137 security vulnerabilities in its Windows operating systems and supported software. None of the weaknesses addressed this month are known to be actively exploited, but 14 of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited to seize control over vulnerable Windows PCs with little or no help from users.

While not listed as critical, CVE-2025-49719 is a publicly disclosed information disclosure vulnerability, with all versions as far back as SQL Server 2016 receiving patches. Microsoft rates CVE-2025-49719 as less likely to be exploited, but the availability of proof-of-concept code for this flaw means its patch should probably be a priority for affected enterprises.

Mike Walters, co-founder of Action1, said CVE-2025-49719 can be exploited without authentication, and that many third-party applications depend on SQL server and the affected drivers — potentially introducing a supply-chain risk that extends beyond direct SQL Server users.

“The potential exposure of sensitive information makes this a high-priority concern for organizations handling valuable or regulated data,” Walters said. “The comprehensive nature of the affected versions, spanning multiple SQL Server releases from 2016 through 2022, indicates a fundamental issue in how SQL Server handles memory management and input validation.”

Adam Barnett at Rapid7 notes that today is the end of the road for SQL Server 2012, meaning there will be no future security patches even for critical vulnerabilities, even if you’re willing to pay Microsoft for the privilege.

Barnett also called attention to CVE-2025-47981, a vulnerability with a CVSS score of 9.8 (10 being the worst), a remote code execution bug in the way Windows servers and clients negotiate to discover mutually supported authentication mechanisms. This pre-authentication vulnerability affects any Windows client machine running Windows 10 1607 or above, and all current versions of Windows Server. Microsoft considers it more likely that attackers will exploit this flaw.

Microsoft also patched at least four critical, remote code execution flaws in Office (CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702). The first two are both rated by Microsoft as having a higher likelihood of exploitation, do not require user interaction, and can be triggered through the Preview Pane.

Two more high severity bugs include CVE-2025-49740 (CVSS 8.8) and CVE-2025-47178 (CVSS 8.0); the former is a weakness that could allow malicious files to bypass screening by Microsoft Defender SmartScreen, a built-in feature of Windows that tries to block untrusted downloads and malicious sites.

CVE-2025-47178 involves a remote code execution flaw in Microsoft Configuration Manager, an enterprise tool for managing, deploying, and securing computers, servers, and devices across a network. Ben Hopkins at Immersive said this bug requires very low privileges to exploit, and that it is possible for a user or attacker with a read-only access role to exploit it.

“Exploiting this vulnerability allows an attacker to execute arbitrary SQL queries as the privileged SMS service account in Microsoft Configuration Manager,” Hopkins said. “This access can be used to manipulate deployments, push malicious software or scripts to all managed devices, alter configurations, steal sensitive data, and potentially escalate to full operating system code execution across the enterprise, giving the attacker broad control over the entire IT environment.”

Separately, Adobe has released security updates for a broad range of software, including After Effects, Adobe Audition, Illustrator, FrameMaker, and ColdFusion.

The SANS Internet Storm Center has a breakdown of each individual patch, indexed by severity. If you’re responsible for administering a number of Windows systems, it may be worth keeping an eye on AskWoody for the lowdown on any potentially wonky updates (considering the large number of vulnerabilities and Windows components addressed this month).

If you’re a Windows home user, please consider backing up your data and/or drive before installing any patches, and drop a note in the comments if you encounter any problems with these updates.