Adobe InDesign is a desktop publishing application. It includes a server interface providing an API for software developers using SOAP.
The SOAP interface in Adobe InDesign Server allows remote, unauthenticated attackers to run arbitrary commands contained in a RunScript SOAP message.
No patches were available at the time of this writing. Disable the Adobe InDesign Server or block access to port 12345/TCP at the firewall.
Exploit works on Adobe InDesign Server CS6 220.127.116.110 on Windows Server 2008 R2 SP1 (DEP OptOut).