On June 10, 2025, Adobe released a fairly large security update, fixing no fewer than 254 flaws in several of its products. One of the most notable was Adobe Experience Manager (AEM). Most of these issues were related to cross-site scripting (XSS) vulnerabilities, a type of flaw that can seriously compromise the security of enterprise web applications, especially those running on Adobe Commerce or Magento. In short, if you use these platforms, it is essential that you apply this update as soon as possible to keep everything secure.
Adobe released a mega security update that fixed 254 vulnerabilities, and what's most striking is that 225 of them directly affected Adobe Experience Manager (AEM), both in its cloud version (Cloud Service) and in versions prior to and after 6.5.22. The fixes came with versions 6.5.23 and 2025.5 of AEM Cloud Service.
The most common problem? Stored and DOM-based XSS flaws. Simply put, they allowed attackers to inject malicious scripts into web pages, opening the door for other users to unintentionally execute dangerous code. In the worst case, that could mean someone else taking control of the system, escalating privileges, or bypassing security mechanisms without much effort.
Adobe got straight to the point and warned that if these flaws were successfully exploited, the impact could be quite serious. Fortunately, they have already been patched.
Behind these discoveries are some well-known names in the cybersecurity world, such as Jim Green (green-jam), Akshay Sharma (anonymous_blackzero), and lpi, who responsibly reported the flaws and helped Adobe fix them in time.
One of the most concerning points in Adobe's latest security bulletin is a critical vulnerability identified as CVE-2025-47110. How serious is it? Quite serious: it has a score of 9.1 on the CVSS system, which places it in the highest risk range. It is a reflected XSS flaw, which basically allows attackers to remotely execute malicious code on online stores running Adobe Commerce or Magento Open Source.
But it's not the only one: CVE-2025-43585 was also discovered, with a score of 8.2, which fixes a poorly managed authorization issue. In simple terms, this flaw could allow someone to bypass security controls and access sensitive data or permissions.
Adobe Commerce: 2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier, 2.4.4-p13 and earlier
Adobe Commerce B2B: 1.5.2 and earlier, 1.4.2-p5 and earlier, 1.3.5-p10 and earlier
Magento Open Source: all versions equivalent to the above
These platforms are widely used by companies that manage large-scale online sales, so the scope of these vulnerabilities is enormous.
Although no active attacks exploiting these flaws have been detected so far, Adobe makes it clear that it is crucial to install the patches as soon as possible to avoid unpleasant surprises. If your store relies on any of these systems, now is the time to update (and not put it off until later).
Read more: Third-Party Patch Management
In addition to its best-known products, Adobe also took advantage of this major update to fix four vulnerabilities related to remote code execution in less “famous” applications that are equally important in the creative workflow:
Adobe InCopy: CVE-2025-30327 and CVE-2025-47107, both with a CVSS score of 7.8.
Substance 3D Sampler: CVE-2025-43581 and CVE-2025-43588, also with a score of 7.8.
Although these apps are not part of the critical core of business infrastructures, they are still used by many creative teams. And since collaborative workflows are often interconnected, any open door can be exploited by attackers if it is not closed in time.
With more than 200 XSS vulnerabilities in AEM alone, it is clear that there is a serious structural problem in many of the digital solutions that companies and brands use every day for marketing, content, and online commerce.
And if we add to that the flaws that allow remote code execution in collaboration and design tools, it becomes even clearer that cybersecurity is no longer just a matter for the IT team: it is a responsibility shared by the entire organization.
Read more: Patch Management: Why is it essential in IT security?
Update without hesitation: the sooner you apply the patches, the less time you will be at risk.
Implement faster update cycles: no waiting weeks or months to install the new version.
Monitor vulnerabilities constantly: there are tools that can help you detect problems before they become real threats.
Strengthen default settings: many installations are left with insecure options enabled. Adjusting these can make all the difference.
Adobe did the right thing: it reacted quickly and plugged dangerous holes. But what really stands out is the number of flaws found. That tells us a lot about how complex and, at times, fragile our digital ecosystems are becoming.
So if your company relies on Adobe, the best thing you can do right now is to apply all available updates, review your settings, and think of cybersecurity as an ongoing priority, not an occasional task.