CVE-2025-21127: 
Adobe Photoshop vulnerability analysis and mitigation

Adobe Photoshop versions 25.12, 26.1 and earlier are affected by an Uncontrolled Search Path Element vulnerability (CVE-2025-21127), discovered and disclosed on January 14, 2025. This vulnerability affects both Windows and macOS versions of Adobe Photoshop (Adobe Advisory, NVD).

The vulnerability is classified as an Uncontrolled Search Path Element (CWE-427) issue that could lead to arbitrary code execution. It has received a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. An attacker could manipulate the search path environment variable to point to a malicious library, resulting in the execution of arbitrary code when the application loads (Adobe Advisory).

Successful exploitation of this vulnerability could lead to arbitrary code execution in the context of the current user. The vulnerability affects both confidentiality, integrity, and availability of the system, as indicated by the high CVSS ratings for all three impact metrics (Adobe Advisory, SecurityWeek).

Adobe has released security updates to address this vulnerability. Users are recommended to update to Photoshop 2025 version 26.2 or Photoshop 2024 version 25.12.1 via the Creative Cloud desktop app's update mechanism. For managed environments, IT administrators can use the Admin Console to deploy the updates (Adobe Advisory).

The vulnerability was discovered and reported by an anonymous researcher working with Trend Micro Zero Day Initiative (Adobe Advisory).