Critical Adobe Experience Manager Flaw CVE-2025-54253 Under Active Exploitation
A critical security vulnerability, tracked as CVE-2025-54253 with a CVSS score of 10.0, has been identified in Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier. The flaw is a misconfiguration that exposes the /adminui/debug servlet, which evaluates user-supplied OGNL expressions as Java code without requiring authentication or input validation. This allows attackers to execute arbitrary system commands on affected servers with a single crafted HTTP request, leading to the possibility of full remote code execution. Adobe addressed the vulnerability in version 6.5.0-0108, released in early August 2025, and also patched a related issue, CVE-2025-54254, with a CVSS score of 8.6. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-54253 to its Known Exploited Vulnerabilities (KEV) catalog, confirming evidence of active exploitation in the wild. CISA has issued an emergency alert, urging all Federal Civilian Executive Branch (FCEB) agencies and other organizations to apply the necessary patches by November 5, 2025, to mitigate the risk. Security firm FireCompass highlighted the severity of the flaw, noting that the exposed endpoint can be abused without authentication, making exploitation trivial for attackers. Adobe has acknowledged the existence of a publicly available proof-of-concept for both CVE-2025-54253 and CVE-2025-54254, increasing the urgency for remediation. While specific details of real-world attacks have not been disclosed, the active exploitation status underscores the immediate threat to organizations running vulnerable AEM instances. The vulnerability's critical nature is amplified by its potential to allow attackers to gain complete control over affected systems. Organizations are strongly advised to review their deployments and ensure all relevant patches are applied without delay. The exposure of such a high-impact endpoint in a widely used enterprise content management platform raises significant concerns for both public and private sector entities. The incident demonstrates the ongoing risk posed by misconfigurations and insufficient input validation in complex web applications. Security teams should also review access logs for signs of exploitation attempts and consider additional monitoring of AEM endpoints. The rapid response from CISA and Adobe highlights the importance of coordinated vulnerability disclosure and mitigation in the face of active threats. Failure to address this vulnerability could result in severe compromise of sensitive data and business operations. The situation remains dynamic, and organizations should stay alert for further advisories or indicators of compromise related to CVE-2025-54253.
Timeline
Oct 16, 2025
CISA orders federal agencies to remediate by November 5
Alongside the KEV listing, CISA required Federal Civilian Executive Branch agencies to fix or mitigate CVE-2025-54253 by November 5, 2025. The directive was issued to reduce exposure to ongoing exploitation of the Adobe flaw.
Oct 16, 2025
CISA adds CVE-2025-54253 to the KEV catalog
On October 16, 2025, CISA added Adobe Experience Manager Forms flaw CVE-2025-54253 to its Known Exploited Vulnerabilities catalog after confirming in-the-wild exploitation. The agency highlighted the bug's maximum 10.0 CVSS score and its impact on AEM Forms on JEE deployments.
Aug 1, 2025
Adobe releases patches for CVE-2025-54253 and CVE-2025-54254
Adobe issued fixes in August 2025 for the AEM Forms on JEE vulnerabilities, including CVE-2025-54253, a misconfiguration issue that can enable unauthenticated remote code execution. The updates addressed affected versions 6.5.23.0 and earlier.
Aug 1, 2025
Researchers disclose AEM Forms flaws and release PoC exploits
Security researchers Shubham Shah and Adam Kues reported CVE-2025-54253 and CVE-2025-54254 in Adobe Experience Manager Forms. After Adobe did not patch within 90 days, they published proof-of-concept exploit code, increasing the risk of real-world abuse.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
3 more from sources like help net security, security online info and the hacker news
Related Stories
Multiple Critical Vulnerabilities in Adobe Products Allowing Arbitrary Code Execution
Adobe released security advisories addressing multiple vulnerabilities across a range of its products, including ColdFusion, Adobe Experience Manager (AEM), DNG Software Development Kit (SDK), Acrobat, Acrobat Reader, and the Creative Cloud Desktop Application. The most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user, potentially enabling attackers to install programs, modify or delete data, or create new accounts with full user rights. Affected versions span ColdFusion 2025, 2023, and 2021, AEM Cloud Service and 6.5 LTS, DNG SDK 1.7.0 and prior, Acrobat and Acrobat Reader 2020 and 2024 for both Windows and Mac, and Creative Cloud Desktop Application 6.4.0.361 and earlier. Users and administrators are strongly encouraged to review the official advisories and apply the necessary updates to mitigate risk. Threat intelligence at the time of disclosure indicated no reports of these vulnerabilities being exploited in the wild. The advisories emphasize that users with administrative privileges are at greater risk if exploited, and recommend prompt patching to reduce exposure. Organizations relying on Adobe products for document management, web application development, or digital asset workflows should prioritize these updates to prevent potential compromise through remote code execution vulnerabilities.
1 months ago
Critical Vulnerabilities Patched in Multiple Adobe Products Allowing Arbitrary Code Execution
Adobe released urgent security updates addressing over 35 vulnerabilities across a wide range of its products, with several flaws rated as critical due to their potential to allow arbitrary code execution. The most severe vulnerabilities affect Adobe Connect, Adobe Commerce, Magento Open Source, Creative Cloud Desktop, Bridge, Animate, and other widely used applications. Among the most critical issues are two DOM-based cross-site scripting (XSS) vulnerabilities in Adobe Connect, identified as CVE-2025-49553 and CVE-2025-49552, with CVSS scores of 9.3 and 7.3 respectively. These vulnerabilities could enable attackers to execute arbitrary code on targeted systems if exploited. Additionally, a moderate-severity open redirect vulnerability (CVE-2025-54196) was also patched in Adobe Connect. The vulnerabilities were disclosed by a security researcher known as Laish (a_l), and Adobe Connect users are specifically urged to update to version 12.10 for both Windows and macOS to mitigate these risks. Adobe Commerce and Magento Open Source, both critical e-commerce platforms, were also affected by high-risk vulnerabilities that could potentially compromise online stores. Other Adobe products receiving security updates include Creative Cloud, Bridge, Animate, Experience Manager, Substance 3D Viewer, Substance 3D Modeler, FrameMaker, Illustrator, Dimension, and Substance 3D Stager. Adobe has stated that, as of the time of the advisory, there is no evidence that these vulnerabilities have been exploited in the wild. Nevertheless, the company strongly recommends that all customers apply the updates immediately to prevent potential exploitation. The vulnerabilities span a variety of attack vectors, including XSS and open redirect, which could be leveraged for code execution or phishing attacks. The breadth of affected products highlights the widespread risk to organizations relying on Adobe’s software for collaboration, content creation, and e-commerce. Security advisories from both industry groups and Adobe emphasize the urgency of patching, especially for organizations using Adobe Connect and e-commerce platforms. The updates are part of Adobe’s regular security cycle, but the critical nature of several flaws makes this release particularly important. Organizations are advised to review their deployment of Adobe products and prioritize patching based on the severity and exposure of affected systems. The disclosure and rapid patching of these vulnerabilities underscore the ongoing need for vigilance and timely software updates in enterprise environments. Adobe’s response demonstrates a coordinated effort to address security risks across its product suite. The advisories provide detailed information on affected versions and recommended mitigation steps. Security teams should monitor for any signs of attempted exploitation and ensure that all relevant systems are updated promptly. The incident serves as a reminder of the persistent threat posed by software vulnerabilities in widely deployed applications.
1 months ago
Adobe Connect Flaws Expose Users to XSS and Potential Code Execution
Adobe disclosed two high-severity vulnerabilities in **Adobe Connect** affecting versions **2025.3, 12.10, and earlier**, and directed customers to advisory **`APSB26-37`** for remediation. One issue, **`CVE-2026-27246`**, is a DOM-based cross-site scripting flaw classified as **`CWE-79`** that can let an attacker manipulate the browser DOM and run malicious JavaScript in a victim’s session after luring the user to a crafted webpage. The vulnerability carries a CVSS v3.1 vector of **`AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N`**, indicating network reachability, low attack complexity, no privileges required, and high confidentiality and integrity impact. Adobe also disclosed **`CVE-2026-34615`**, a **`CWE-502`** deserialization of untrusted data vulnerability in the same product versions that can lead to arbitrary code execution in the context of the current user. Adobe said exploitation of the deserialization flaw does not require user interaction, making it the more serious of the two issues, while both bugs were published through Adobe’s PSIRT process and affect the same supported and earlier Adobe Connect releases. Organizations using Adobe Connect should prioritize patching exposed deployments and reviewing the vendor advisory for fixed versions and mitigation guidance.
3 weeks ago