CVE-2025-43591 – Adobe InDesign versions 19.5.3 and earlier cont... (How to Fix)

Q: What is the severity of CVE-2025-43591?

CVE-2025-43591 has a CVSS score of 7.8 (HIGH). Adobe InDesign versions 19.5.3 and earlier contain a heap-based buffer overflow vulnerability that allows attackers to execute arbitrary code when a user opens a malicious file. This affects all users running vulnerable versions of InDesign Desktop on any operating system.

📋 TL;DR

Adobe InDesign versions 19.5.3 and earlier contain a heap-based buffer overflow vulnerability that allows attackers to execute arbitrary code when a user opens a malicious file. This affects all users running vulnerable versions of InDesign Desktop on any operating system.

💻 Affected Systems

Products:

Adobe InDesign Desktop

Versions: 19.5.3 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. Requires user interaction to open malicious file.

📦 What is this software?

Indesign by Adobe

View all CVEs affecting Indesign →

Indesign by Adobe

View all CVEs affecting Indesign →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the logged-in user, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation leading to malware installation, data exfiltration, or persistence mechanisms being established on the compromised system.

🟢

If Mitigated

Limited impact due to application sandboxing or restricted user privileges, potentially resulting in application crash rather than code execution.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file). No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 19.5.4 or later

Vendor Advisory: https://helpx.adobe.com/security/products/indesign/apsb25-60.html

Restart Required: Yes

Instructions:

1. Open Adobe Creative Cloud application
2. Navigate to 'Apps' section
3. Find Adobe InDesign and click 'Update'
4. Restart computer after update completes

🔧 Temporary Workarounds

Restrict InDesign file handling

all

Configure system to open .indd files with alternative applications or require verification before opening

Application control policies

all

Implement application whitelisting to prevent execution of unauthorized code

🧯 If You Can't Patch

Implement strict file handling policies to prevent opening untrusted InDesign files
Run InDesign with restricted user privileges and application sandboxing

🔍 How to Verify

Check if Vulnerable:

Check InDesign version via Help > About InDesign. If version is 19.5.3 or earlier, system is vulnerable.

Check Version:

On Windows: wmic product where name="Adobe InDesign" get version
On macOS: /Applications/Adobe\ InDesign\ 2024/Adobe\ InDesign.app/Contents/MacOS/Adobe\ InDesign --version

Verify Fix Applied:

Verify version is 19.5.4 or later in Help > About InDesign menu.

📡 Detection & Monitoring

Log Indicators:

Unexpected InDesign crashes
Process creation from InDesign with unusual command lines
File access to suspicious .indd files

Network Indicators:

Outbound connections from InDesign process to unknown IPs
DNS requests for suspicious domains from InDesign

SIEM Query:

process_name:"InDesign.exe" AND (event_type:process_creation OR event_type:crash)

📊 Metadata

CVE ID: CVE-2025-43591

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.03% exploit probability (8.4th percentile)

Published: July 8, 2025

Last Updated: July 10, 2025

🔗 References

https://helpx.adobe.com/security/products/indesign/apsb25-60.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-43591, you might also want to check these: