CVE-2025-54228 – Adobe InDesign has an out-of-bounds read vulner... (How to Fix)

Q: What is the severity of CVE-2025-54228?

CVE-2025-54228 has a CVSS score of 5.5 (MEDIUM). Adobe InDesign has an out-of-bounds read vulnerability that could allow attackers to read sensitive memory contents by tricking users into opening malicious files. This affects InDesign Desktop versions 20.4, 19.5.4 and earlier. User interaction is required for exploitation.

📋 TL;DR

Adobe InDesign has an out-of-bounds read vulnerability that could allow attackers to read sensitive memory contents by tricking users into opening malicious files. This affects InDesign Desktop versions 20.4, 19.5.4 and earlier. User interaction is required for exploitation.

💻 Affected Systems

Products:

Adobe InDesign Desktop

Versions: 20.4, 19.5.4 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable.

📦 What is this software?

Indesign by Adobe

View all CVEs affecting Indesign →

Indesign by Adobe

View all CVEs affecting Indesign →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive memory contents including passwords, encryption keys, or other application data could be disclosed to an attacker.

🟠

Likely Case

Limited information disclosure from application memory, potentially revealing some user data or system information.

🟢

If Mitigated

No impact if users don't open untrusted files or if patched versions are used.

🌐 Internet-Facing: LOW - Requires user interaction with malicious files, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user to open a malicious file, making social engineering necessary for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to versions after 20.4 and 19.5.4

Vendor Advisory: https://helpx.adobe.com/security/products/indesign/apsb25-79.html

Restart Required: No

Instructions:

1. Open Adobe InDesign. 2. Go to Help > Updates. 3. Follow prompts to install latest version. 4. Alternatively, download from Adobe Creative Cloud desktop app.

🔧 Temporary Workarounds

Restrict file opening

all

Configure application control to block opening of untrusted InDesign files

🧯 If You Can't Patch

Implement application whitelisting to restrict which users can run InDesign
Educate users to never open InDesign files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check InDesign version via Help > About InDesign. If version is 20.4, 19.5.4 or earlier, system is vulnerable.

Check Version:

Not applicable - check via application GUI

Verify Fix Applied:

Verify version is newer than 20.4 or 19.5.4 in Help > About InDesign.

📡 Detection & Monitoring

Log Indicators:

Application crashes or unexpected behavior when opening InDesign files
Security software alerts for suspicious file access

Network Indicators:

Downloads of InDesign files from untrusted sources

SIEM Query:

source="*indesign*" AND (event="crash" OR event="error") AND file_extension="indd"

📊 Metadata

CVE ID: CVE-2025-54228

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-125

EPSS Score: 0.02% exploit probability (5.5th percentile)

Published: August 12, 2025

Last Updated: August 13, 2025

🔗 References

https://helpx.adobe.com/security/products/indesign/apsb25-79.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54228, you might also want to check these: