Platform
adobe
Component
adobe-connect
Fixed in
12.9.1
A critical Cross-Site Scripting (XSS) vulnerability (CVE-2025-49553) has been identified in Adobe Connect versions 0 through 12.9. This DOM-based XSS allows attackers to inject malicious scripts into a victim's browser, potentially leading to session hijacking and data compromise. Successful exploitation requires a user to navigate to a specially crafted web page. Adobe has acknowledged the vulnerability and released updates to address the issue.
The impact of CVE-2025-49553 is significant due to the potential for session takeover. An attacker could craft a malicious web page that, when visited by a user, executes arbitrary JavaScript code within the user's browser context. This code could then be used to steal session cookies, impersonate the user, and gain unauthorized access to sensitive data and functionality within Adobe Connect. The scope of this vulnerability is broad, affecting all users who interact with vulnerable versions of Adobe Connect. The vulnerability's DOM-based nature means it's less reliant on specific input fields, potentially broadening the attack surface.
CVE-2025-49553 was publicly disclosed on 2025-10-14. The vulnerability has a CRITICAL CVSS score of 9.3, indicating a high probability of exploitation. While no public proof-of-concept (PoC) code has been released as of this writing, the ease of exploitation for DOM-based XSS vulnerabilities suggests that PoCs are likely to emerge. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49553 is to upgrade Adobe Connect to a patched version. Adobe has released updates to address this vulnerability; consult the official Adobe security advisory for the latest version. As a temporary workaround, consider implementing strict Content Security Policy (CSP) headers to restrict the execution of inline scripts and external resources. Review and sanitize any user-supplied input that is rendered within Adobe Connect to prevent malicious code injection. After upgrading, confirm the fix by attempting to trigger the XSS vulnerability with a known payload and verifying that the script is not executed.
Update Adobe Connect to a version later than 12.9 to fix the XSS vulnerability. See the Adobe security bulletin for more details and specific upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49553 is a critical DOM-based XSS vulnerability affecting Adobe Connect versions 0–12.9, allowing attackers to execute scripts in a victim's browser.
If you are using Adobe Connect versions 0 through 12.9, you are potentially affected by this vulnerability. Check your version and upgrade immediately.
Upgrade Adobe Connect to the latest patched version as recommended by Adobe. Implement Content Security Policy (CSP) as a temporary mitigation.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of future attacks.
Refer to the official Adobe Security Bulletin for CVE-2025-49553 on the Adobe Security Advisories website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.