CVE-2025-49552 - Vulnerability Details

- Adobe Connect | Cross-site Scripting (DOM-based XSS) (CWE-79)

Description

Adobe Connect versions 12.9 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a high-privileged attacker to execute malicious scripts in a victim's browser. Exploitation of this issue requires user interaction in that a victim must navigate to a crafted web page. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Scope is changed.

Published: 2025-10-14

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Adobe Connect versions 12.9 and earlier suffer from a DOM‑based Cross‑Site Scripting (XSS) flaw. The vulnerability allows an attacker with high privileges to embed malicious scripts that run in a victim’s browser when the victim visits a crafted web page. Successful exploitation can lead to session hijacking, and because the flaw changes application scope, it can compromise confidentiality and integrity at a high level.

Affected Systems

Affected systems are installations of Adobe Connect through version 12.9 on macOS and Windows platforms. The vulnerability is present in all builds before the release associated with Adobe's security bulletin APSB25‑70.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. However, the EPSS of less than 1% suggests exploitation is unlikely under normal circumstances, and the flaw is not listed in CISA’s KEV catalog. Exploitation requires user interaction – the victim must open a specially crafted page – meaning the attack vector is browser‑based XSS. Because the vulnerability alters the application scope, it permits an attacker to gain elevated privileges within the Adobe Connect environment, potentially leading to session takeover and data compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Adobe

Adobe Connect

affected

Version	Status	Constraints
`0`	affected	≤ 12.9

Configuration 1 [-]

AND

cpe:2.3:a:adobe:connect:*:*:*:*:*:-:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor	Product	Confidence	Versions
Adobe	Connect	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest Adobe Connect version that contains the fix as noted in Adobe's security bulletin APSB25‑70.
Implement a Content Security Policy that blocks execution of scripts from untrusted origins on the Adobe Connect interface.
Configure a web application firewall or filtering solution to detect and block typical XSS payloads targeting the Adobe Connect application.

Generated by OpenCVE AI on May 1, 2026 at 06:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00078.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://helpx.adobe.com/security/products/connect/apsb25-70.html

History

Tue, 28 Apr 2026 02:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N'}`	cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N'}`

Fri, 17 Oct 2025 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe Adobe connect Apple Apple macos Microsoft Microsoft windows
CPEs		cpe:2.3:a:adobe:connect::::::-::* cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Adobe Adobe connect Apple Apple macos Microsoft Microsoft windows

Wed, 15 Oct 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 14 Oct 2025 22:00:00 +0000

Type	Values Removed	Values Added
Description		Adobe Connect versions 12.9 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a high-privileged attacker to execute malicious scripts in a victim's browser. Exploitation of this issue requires user interaction in that a victim must navigate to a crafted web page. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Scope is changed.
Title		Adobe Connect \| Cross-site Scripting (DOM-based XSS) (CWE-79)
Weaknesses		CWE-79
References		https://helpx.adobe.com/security/products/connect/apsb25-70.html
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N'}`

Subscriptions

Adobe Connect

Apple Macos

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2025-10-14T21:53:32.953Z

Updated: 2026-04-28T01:44:51.391Z

Reserved: 2025-06-06T15:42:09.517Z

Link: CVE-2025-49552

Vulnrichment

Updated: 2025-10-15T20:13:05.458Z

NVD

Status : Analyzed

Published: 2025-10-14T22:15:37.153

Modified: 2026-04-28T15:39:36.813

Link: CVE-2025-49552

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T06:15:10Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object