CVE-2025-49570: Adobe Photoshop RCE Vulnerability

CVE-2025-49570 Overview

CVE-2025-49570 is an out-of-bounds write vulnerability [CWE-787] affecting Adobe Photoshop Desktop versions 25.12.3, 26.8, and earlier on Windows and macOS. An attacker who convinces a user to open a crafted file can trigger arbitrary code execution in the context of the current user. The flaw requires local access and user interaction, but successful exploitation grants full read, write, and execute capability under the victim's privileges. Adobe published security bulletin APSB25-75 to address the issue.

Critical Impact
Arbitrary code execution in the context of the current user when a victim opens a malicious Photoshop file.

Affected Products

Adobe Photoshop Desktop 25.12.3 and earlier (2024 release line)
Adobe Photoshop Desktop 26.8 and earlier (2025 release line)
Windows and macOS installations of the affected versions

Discovery Timeline

2025-08-12 - CVE-2025-49570 published to NVD
2025-08-12 - Adobe publishes security advisory APSB25-75
2025-08-14 - Last updated in NVD database

Technical Details for CVE-2025-49570

Vulnerability Analysis

The vulnerability is an out-of-bounds write [CWE-787] in Adobe Photoshop's file parsing logic. When Photoshop processes a crafted image or project file, the application writes data past the bounds of an allocated buffer. This corruption of adjacent memory enables an attacker to overwrite control structures such as function pointers or object metadata.

The attack vector is local and requires user interaction. A victim must open the malicious file in a vulnerable Photoshop build for the bug to trigger. Once triggered, the corrupted memory state can be steered toward arbitrary code execution under the user account running Photoshop.

No public proof-of-concept code is currently available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, and no exploitation in the wild has been reported.

Root Cause

The root cause is insufficient bounds checking during the parsing of attacker-controlled file structures. The vendor advisory APSB25-75 does not disclose the specific file format or parser routine responsible. Out-of-bounds write conditions in image processing applications typically stem from incorrect size calculations, integer truncation, or missing validation of length fields embedded in untrusted input.

Attack Vector

The attacker delivers a malicious file through email, instant messaging, removable media, or a watering-hole site. When the user opens the file in a vulnerable Photoshop version, the parser writes attacker-controlled data outside the intended buffer. Code execution then runs at the user's privilege level, allowing data theft, persistence, or lateral movement.

No verified exploit code is publicly available. Refer to the Adobe Photoshop Security Advisory APSB25-75 for vendor-supplied technical context.

Detection Methods for CVE-2025-49570

Indicators of Compromise

Unexpected child processes spawned by Photoshop.exe (Windows) or Adobe Photoshop 2025 (macOS), such as cmd.exe, powershell.exe, bash, or osascript
Photoshop process crashes or unusual exception events correlated with opening files from untrusted sources
Newly created executables, scripts, or scheduled tasks following Photoshop file open operations
Outbound network connections originating from the Photoshop process to unknown hosts

Detection Strategies

Hunt for process lineage where Photoshop is the parent of interpreters, shells, or LOLBins
Inspect Photoshop file open telemetry for .psd, .psb, or auxiliary format files originating from email attachments, download folders, or removable media
Correlate crash dumps from Windows Error Reporting (WER) or macOS CrashReporter against opened file paths to identify candidate malicious samples

Monitoring Recommendations

Enable command-line and process creation logging (Sysmon Event ID 1, macOS ESF) and forward events to a central analytics platform
Alert on Photoshop versions below 25.12.3 and 26.8 reporting from managed endpoints
Track file write operations by Photoshop into autorun, startup, or scheduled task locations

How to Mitigate CVE-2025-49570

Immediate Actions Required

Update Adobe Photoshop to the fixed versions listed in APSB25-75 on all Windows and macOS endpoints
Inventory installed Photoshop builds across the environment and prioritize patching workstations used by designers and contractors who routinely receive external files
Instruct users to avoid opening Photoshop files received from unverified sources until patching is complete

Patch Information

Adobe addressed CVE-2025-49570 in the updates published under Adobe Photoshop Security Advisory APSB25-75. Administrators should deploy the updated builds through the Adobe Creative Cloud desktop application or through enterprise software distribution tools.

Workarounds

Restrict opening of Photoshop files originating from untrusted email senders or external storage
Run Photoshop under a standard user account rather than an administrator account to limit the impact of code execution
Apply application allowlisting to prevent unexpected child processes from launching under Photoshop.exe
Use email and web gateways to inspect and quarantine .psd and .psb attachments from external senders until patches are deployed

bash

# Query installed Photoshop version on Windows endpoints via PowerShell
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" |
  Where-Object { $_.DisplayName -like "Adobe Photoshop*" } |
  Select-Object DisplayName, DisplayVersion, InstallLocation