Critical Adobe AEM Vulnerability Exploited: CISA Warns Users

Adobe Experience Manager Vulnerability Exploited

A misconfiguration vulnerability in Adobe Experience Manager (AEM) Forms on Java Enterprise Edition (JEE), tracked as CVE-2025-54253, is being actively exploited in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog.

Vulnerability Details

• CVE-2025-54253: A misconfiguration in AEM Forms that leaves Apache Struts "devMode" enabled in the admin UI, combined with an authentication bypass. This allows unauthenticated attackers to run expressions that the Struts framework will evaluate, potentially leading to remote code execution (RCE). The CVSS score is a perfect 10.0, indicating maximum severity.
• Affected Versions: Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier.
• Resolution: Upgrade to version 6.5.0-0108 or later.
• Reported By: Shubham Shah and Adam Kues of Searchlight Cyber.

Technical Explanation

The vulnerability stems from an exposed /adminui/debug servlet. This servlet evaluates user-supplied OGNL expressions as Java code without requiring authentication or input validation, enabling attackers to execute arbitrary system commands via a crafted HTTP request, according to FireCompass.

Researchers Adam Kues and Shubham Shah at Searchlight Cyber disclosed the vulnerabilities, including CVE-2025-54254, an XML external entity (XXE) injection within AEM Forms web services.

Remediation

Adobe addressed the vulnerability in August 2025. Users are advised to upgrade to version 6.5.0-0108 or later as soon as possible. CISA has directed Federal Civilian Executive Branch (FCEB) agencies to patch their systems by November 5, 2025.