CVE Alert: CVE-2025-61816 - Adobe - InCopy

CVE-2025-61816

HIGHNo exploitation known

InCopy versions 20.5, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1 (7.8)

AV LOCAL · AC LOW · PR NONE · UI REQUIRED · S UNCHANGED

Vendor

Adobe

Product

InCopy

Versions

0 lte 19.5.5

CWE

CWE-122, Heap-based Buffer Overflow (CWE-122)

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Published

2025-11-11T17:06:12.524Z

Updated

2025-11-11T17:06:12.524Z

References

https://helpx.adobe.com/security/products/incopy/apsb25-107.html

AI Summary Analysis

Risk verdict

High risk; exploitation hinges on a user opening a malicious file, with a CVSS-like severity of 7.8; patching should be pursued promptly when available.

Why this matters

Successful code execution in the current user’s context could lead to data exposure, tampering or persistent access on the workstation. The attacker’s goal may include credential theft, malware installation, or lateral movement using the compromised account.

Most likely attack path

Preconditions: attacker requires access to misused file delivery or social-engineering the target to open a crafted file.
Attack: after opening, the heap-based overflow executes code locally with the victim’s rights; no initial privileged access is needed, and user interaction is required.
Movement: lateral spread depends on the attacker’s ability to leverage the compromised account; without additional footholds, broad network traversal is limited.

Who is most exposed

Organisations with desktop workflows relying on this publishing tool for editors/designers, particularly where users operate with standard (non-admin) accounts on Windows/macOS in shared or design-focused environments.

Detection ideas

Alerts on abnormal memory usage or application crashes following file opens.
Unusual child processes or memory-corruption signatures linked to the application.
File-open events involving unexpectedly crafted document payloads.
Sudden spikes in CPU/memory during editing sessions.
Post-incident indicators: new services or processes spawned after a file load.

Mitigation and prioritisation

Apply the vendor patch or upgrade to the fixed release as soon as available.
Enforce application allow-listing and sandboxing for the editor where feasible.
Disable or restrict opening files from untrusted sources; consider isolated testing of new documents.
Deploy EDR/NGAV coverage to alert on memory-corruption or suspicious in-memory activity.
User awareness training focusing on social engineering related to document delivery.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: adobe, CVE, cve-2025-61816, incopy, OSINT, threatintel