Adobe has released a critical security update for its popular design software Illustrator, addressing a severe vulnerability that could allow attackers to execute arbitrary code on targeted systems.
The security bulletin details a heap-based buffer overflow vulnerability that affects multiple versions of the software on both Windows and macOS platforms.
The security flaw, identified as CVE-2025-30330, has been classified as critical with a CVSS base score of 7.8.
.png
)
Security researchers categorize this as a heap-based buffer overflow vulnerability (CWE-122) that could potentially lead to complete system compromise if successfully exploited.
“This vulnerability could allow an attacker to execute arbitrary code in the context of the current user,” explains the Adobe security bulletin.
The technical vector for the vulnerability is described as CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access with high impact on confidentiality, integrity, and availability.
According to cybersecurity experts, exploitation of this vulnerability requires user interaction, specifically that a victim must open a malicious file crafted by the attacker.
This represents a common attack vector where malicious actors distribute specially crafted Illustrator files through email attachments, compromised websites, or other means.
A remote attacker can trick the victim into opening a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Adobe credited a security researcher identified only as “yjdfy” for discovering and reporting the vulnerability.
Affected Software Versions
The vulnerability impacts the following Adobe Illustrator versions:
- Illustrator 2025 version 29.3 and earlier on Windows and macOS.
- Illustrator 2024 version 28.7.5 and earlier on Windows and macOS.
| Risk Factors | Details |
| Affected Products | Adobe Illustrator 2025 (≤29.3)Adobe Illustrator 2024 (≤28.7.5) |
| Impact | Arbitrary code execution |
| Exploit Prerequisites | User interaction requiredVictim must open malicious .ai/.eps file |
| CVSS 3.1 Score | 7.8 (Critical) |
Mitigation
Adobe has addressed this vulnerability in the following updated versions:
- Illustrator 2025 version 29.4 and above.
- Illustrator 2024 version 28.7.6 and above.
Users are strongly advised to update their Illustrator installations immediately through the Creative Cloud desktop application’s update mechanism. For those who have disabled automatic updates, manual intervention will be required.
The company stated it is not aware of any exploits in the wild targeting this vulnerability, but this could change rapidly as details become public.
Organizations using Adobe Illustrator implement a comprehensive patch management strategy, consider disabling automatic updates to control deployment scheduling, and maintain user awareness about the risks of opening files from untrusted sources.
Users concerned about potential exploitation should update their software immediately and exercise caution when opening Illustrator files from unknown or untrusted sources.
Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar
