Critical Adobe AEM Vulnerability Exploited: CISA Warns Users

Adobe Experience Manager AEM Forms CVE-2025-54253 CISA KEV Remote Code Execution Apache Struts Cybersecurity
Edward Zhou
Edward Zhou

CEO & Co-Founder

 
October 17, 2025 2 min read

TL;DR

A critical misconfiguration vulnerability (CVE-2025-54253) in Adobe Experience Manager (AEM) Forms on JEE is actively exploited, allowing remote code execution. CISA has added this perfect-score flaw to its KEV catalog. Organizations must upgrade to version 6.5.0-0108 or later to patch this severe security risk.

Adobe Experience Manager Vulnerability Exploited

A misconfiguration vulnerability in Adobe Experience Manager (AEM) Forms on Java Enterprise Edition (JEE), tracked as CVE-2025-54253, is being actively exploited in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog.

Vulnerability Details

  • CVE-2025-54253: A misconfiguration in AEM Forms that leaves Apache Struts "devMode" enabled in the admin UI, combined with an authentication bypass. This allows unauthenticated attackers to run expressions that the Struts framework will evaluate, potentially leading to remote code execution (RCE). The CVSS score is a perfect 10.0, indicating maximum severity.
  • Affected Versions: Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier.
  • Resolution: Upgrade to version 6.5.0-0108 or later.
  • Reported By: Shubham Shah and Adam Kues of Searchlight Cyber.

Technical Explanation

The vulnerability stems from an exposed /adminui/debug servlet. This servlet evaluates user-supplied OGNL expressions as Java code without requiring authentication or input validation, enabling attackers to execute arbitrary system commands via a crafted HTTP request, according to FireCompass.

Researchers Adam Kues and Shubham Shah at Searchlight Cyber disclosed the vulnerabilities, including CVE-2025-54254, an XML external entity (XXE) injection within AEM Forms web services.

Remediation

Adobe addressed the vulnerability in August 2025. Users are advised to upgrade to version 6.5.0-0108 or later as soon as possible. CISA has directed Federal Civilian Executive Branch (FCEB) agencies to patch their systems by November 5, 2025.

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

WinRAR CVE-2025-6218 Vulnerability Under Active Attack by Threat Groups
WinRAR vulnerability

WinRAR CVE-2025-6218 Vulnerability Under Active Attack by Threat Groups

CISA flags WinRAR CVE-2025-6218 as actively exploited. Learn about this path traversal flaw and how to protect your systems. Update now!

By Jim Gagnard December 11, 2025 3 min read
Read full article
Malicious VSCode Extensions Launch Multi-Stage Attacks and Infostealers
malicious VSCode extensions

Malicious VSCode Extensions Launch Multi-Stage Attacks and Infostealers

Beware of malicious VSCode extensions & device code phishing scams. Learn how these attacks steal credentials, capture screens, and hijack sessions. Protect yourself now!

By Alan V Gutnov December 10, 2025 6 min read
Read full article
PRC State-Sponsored BRICKSTORM Malware Targets Critical Infrastructure
BRICKSTORM malware

PRC State-Sponsored BRICKSTORM Malware Targets Critical Infrastructure

Discover how PRC state actors are using BRICKSTORM malware to gain persistent access via VMware. Learn about its advanced evasion techniques and how to defend your systems. Read now!

By Divyansh Ingle December 9, 2025 3 min read
Read full article
Google Patches 107 Android Vulnerabilities, Including Zero-Days
Android security

Google Patches 107 Android Vulnerabilities, Including Zero-Days

Google's December update fixes 107 Android vulnerabilities, including two zero-days. Ensure your device is protected! Check your security update level now.

By Divyansh Ingle December 8, 2025 3 min read
Read full article