Introduction
Session hijacking and data compromise are real risks for organizations using Adobe Connect 12.9 and earlier, due to a DOM-based Cross-Site Scripting (XSS) vulnerability tracked as CVE-2025-49553. This flaw allows attackers to execute arbitrary scripts in a victim's browser if they can convince the user to visit a crafted web page. With a CVSS score of 9.3, the impact on confidentiality and integrity is significant.
About Adobe and Adobe Connect: Adobe is a global leader in creative, document, and collaboration software, with millions of users worldwide. Adobe Connect is a widely adopted web conferencing platform used by enterprises, educational institutions, and government agencies for virtual meetings, webinars, and online training. Its security posture is critical due to the sensitive nature of communications it facilitates.
Technical Information
CVE-2025-49553 is a DOM-based Cross-Site Scripting vulnerability in Adobe Connect versions 12.9 and earlier. The root cause is improper neutralization of user-controllable input during web page generation (CWE-79). Specifically, client-side JavaScript in the Adobe Connect application processes data from DOM sources such as document.URL or document.location and inserts it into the DOM without sufficient sanitization.
This enables attackers to craft malicious URLs or web pages that, when visited by a victim, trigger the execution of arbitrary JavaScript in the context of the Adobe Connect application. The attack requires user interaction, typically by clicking a malicious link or visiting a crafted page. Successful exploitation can lead to session hijacking, allowing attackers to impersonate users and access sensitive meeting data. The vulnerability is entirely client-side and does not require authentication.
No public code snippets or proof-of-concept exploit are available for this issue.
Affected Systems and Versions
- Adobe Connect versions 12.9 and earlier are affected.
- All deployment models (hosted, managed service, on-premises) using these versions are vulnerable.
- The vulnerability is present in the web client component.
Vendor Security History
Adobe Connect has a documented history of XSS and related vulnerabilities, with regular security advisories and patches. Previous bulletins such as APSB25-36 addressed reflected XSS and privilege escalation issues. Adobe maintains a public bug bounty program and typically releases patches within industry-standard timeframes. The product receives ongoing security updates and is considered actively maintained.