In July 2025, Adobe took significant steps to enhance the security of its software suite, releasing a total of 13 bulletins that address 60 unique Common Vulnerabilities and Exposures (CVEs). The updates span a variety of applications, including Adobe ColdFusion, After Effects, Substance 3D Viewer, Audition, InCopy, InDesign, Connect, Dimension, Substance 3D Stager, Illustrator, FrameMaker, Experience Manager Forms, and Experience Manager Screens.
Adobe’s Focus on ColdFusion and FrameMaker
Among these updates, ColdFusion stands out as the only Priority 1 patch, addressing 13 CVEs, five of which are classified as Critical. Given its age, ColdFusion is often regarded as a “legacy” system, prompting users to consider migration to more modern alternatives. The FrameMaker patch is also noteworthy, rectifying 15 CVEs, including 13 Critical vulnerabilities that could potentially lead to code execution.
Illustrator follows closely with a patch addressing 10 bugs, the most severe of which could also enable code execution. The remaining patches are comparatively smaller in scale. For instance, the After Effects update resolves two Important severity bugs, while the Substance 3D Viewer patch addresses one Critical and two Important vulnerabilities. Additionally, the Audition patch fixes a single denial-of-service (DoS) bug.
InCopy’s update includes three Critical-rated bugs that could lead to code execution, while InDesign corrects six similar vulnerabilities. Both the Connect and Experience Manager Forms patches address a single Critical bug each. The Substance 3D Stager update resolves a memory leak, and Dimension’s patch includes both a memory leak fix and a Critical-rated code execution bug. Lastly, the Experience Manager Screens update tackles two cross-site scripting (XSS) bugs. Notably, none of the vulnerabilities addressed this month were publicly known or under active attack at the time of release. Besides ColdFusion, all updates are categorized as deployment priority 3.
Microsoft’s Extensive Patch Rollout
Meanwhile, Microsoft made headlines with a substantial release of 130 new CVEs across its suite of products, including Windows, Office, .NET, Azure, Teams, and more. This release, which also includes eight bugs reported through the Trend ZDI program, brings the total to 140 CVEs when factoring in additional third-party vulnerabilities. Of the patches, 10 are rated Critical, while the remainder are classified as Important.
July is typically a heavier month for patches, although the reasons remain somewhat unclear. Speculation suggests that Microsoft may be aiming to address as many vulnerabilities as possible ahead of the upcoming Black Hat and DEFCON conferences in early August. While one bug is noted as publicly known at the time of release, none are currently under active attack.
Among the more critical updates is CVE-2025-47981, a heap-based buffer overflow affecting the Windows SPNEGO Extended Negotiation component. This vulnerability allows remote, unauthenticated attackers to execute code simply by sending a malicious message, classifying it as a wormable bug. Microsoft has assigned it the highest exploitability index rating, indicating that they anticipate attacks within 30 days. Prompt testing and deployment of patches are strongly advised.
Another significant vulnerability is CVE-2025-49717, which affects Microsoft SQL Server. This heap-based buffer overflow could enable an attacker to execute a malicious query, potentially allowing code execution on the host system. Addressing this issue may require updates to applications using Microsoft OLE DB Driver 18 or 19, as detailed in the bulletin.
Additionally, CVE-2025-49704, originating from the Pwn2Own Berlin competition, allows code injection over the network in Microsoft SharePoint. Although it requires some level of authentication, it underscores the importance of not solely relying on authentication for security. Lastly, CVE-2025-49695, one of four Critical-rated vulnerabilities in Microsoft Office, highlights a concerning trend, as the Preview Pane is listed as an attack vector. Mac users may find themselves at a disadvantage, as updates for Microsoft Office LTSC for Mac 2021 and 2024 are not yet available.
As organizations navigate these updates, vigilance and prompt action will be essential in mitigating potential risks associated with these vulnerabilities.
