Skip to main content

Adobe Connect CVE-2025-54196

MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2025-10-14 psirt@adobe.com
Open Redirect Adobe Connect
4.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 28, 2026 - 03:30 vuln.today

DescriptionNVD

Adobe Connect versions 12.9 and earlier are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. An attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction in that a victim must click on a crafted link.

AnalysisAI

Open redirect vulnerability in Adobe Connect 12.9 and earlier allows remote attackers to redirect users to arbitrary websites by crafting malicious links, requiring victim interaction to click the link. The vulnerability has low confidentiality impact with CVSS 4.3 and no confirmed active exploitation or public exploit code at time of analysis.

Technical ContextAI

Adobe Connect is a web-based video conferencing and collaborative meeting platform. The vulnerability exists in URL handling logic (CWE-601: URL Redirection to Untrusted Site), where user-supplied input is passed unsanitized to redirect mechanisms without validating the target domain. This allows attackers to craft URLs containing arbitrary host parameters that the application redirects to without verification. The affected versions are 12.9 and earlier, identifiable via CPE cpe:2.3:a:adobe:connect:*:*:*:*:*:*:*:* prior to the fix version.

RemediationAI

Upgrade Adobe Connect to version 13.0 or later as released by Adobe in security bulletin APSB25-70 (https://helpx.adobe.com/security/products/connect/apsb25-70.html). No workarounds are documented for this vulnerability prior to patching. If immediate upgrade is not feasible, implement compensating controls: restrict access to Adobe Connect deployments via network segmentation and IP allowlisting to trusted users only, educate users to verify URLs before clicking links from email or chat (especially those referencing Connect meetings with suspicious parameters), and monitor email gateway logs for suspicious redirect URLs containing Connect domain names with unusual query parameters. These controls reduce social engineering attack surface but do not eliminate the vulnerability itself.

Share

CVE-2025-54196 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy