Critical Adobe AEM Vulnerability Exploited: CISA Warns Users

Adobe Experience Manager AEM Forms CVE-2025-54253 CISA KEV Remote Code Execution Apache Struts Cybersecurity
Edward Zhou
Edward Zhou

CEO & Co-Founder

 
October 17, 2025 2 min read

TL;DR

A critical misconfiguration vulnerability (CVE-2025-54253) in Adobe Experience Manager (AEM) Forms on JEE is actively exploited, allowing remote code execution. CISA has added this perfect-score flaw to its KEV catalog. Organizations must upgrade to version 6.5.0-0108 or later to patch this severe security risk.

Adobe Experience Manager Vulnerability Exploited

A misconfiguration vulnerability in Adobe Experience Manager (AEM) Forms on Java Enterprise Edition (JEE), tracked as CVE-2025-54253, is being actively exploited in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog.

Vulnerability Details

  • CVE-2025-54253: A misconfiguration in AEM Forms that leaves Apache Struts "devMode" enabled in the admin UI, combined with an authentication bypass. This allows unauthenticated attackers to run expressions that the Struts framework will evaluate, potentially leading to remote code execution (RCE). The CVSS score is a perfect 10.0, indicating maximum severity.
  • Affected Versions: Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier.
  • Resolution: Upgrade to version 6.5.0-0108 or later.
  • Reported By: Shubham Shah and Adam Kues of Searchlight Cyber.

Technical Explanation

The vulnerability stems from an exposed /adminui/debug servlet. This servlet evaluates user-supplied OGNL expressions as Java code without requiring authentication or input validation, enabling attackers to execute arbitrary system commands via a crafted HTTP request, according to FireCompass.

Researchers Adam Kues and Shubham Shah at Searchlight Cyber disclosed the vulnerabilities, including CVE-2025-54254, an XML external entity (XXE) injection within AEM Forms web services.

Remediation

Adobe addressed the vulnerability in August 2025. Users are advised to upgrade to version 6.5.0-0108 or later as soon as possible. CISA has directed Federal Civilian Executive Branch (FCEB) agencies to patch their systems by November 5, 2025.

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions..

Related Articles

AWS outage

Amazon AWS Outage Reveals Tech Vulnerabilities and Provider Risks

Thousands of apps and websites went down due to an AWS outage. Discover the impact, affected services, and expert insights on cloud dependency. Read more!

By Alan V Gutnov October 22, 2025 2 min read
Read full article
Operation SIMCARTEL

Europol Dismantles SIM Farm Network Behind 49 Million Fake Accounts

Europol's Operation SIMCARTEL disrupted a massive SIM farm network used for phishing & fraud. Learn about the arrests, seizures, and impact on cybercrime. Read more!

By Edward Zhou October 21, 2025 2 min read
Read full article
China cyberattack

China Accuses US of Cyberattacks on National Time Center

China alleges NSA cyberattacks on its National Time Service Center, stealing data and targeting critical timing systems. Learn more about the accusations. Read now!

By Alan V Gutnov October 20, 2025 2 min read
Read full article
Apache ActiveMQ vulnerability

Critical RCE Vulnerability in Apache ActiveMQ Exploited by Attackers

Protect your systems from critical Apache ActiveMQ vulnerabilities, including RCE flaws in .NET AMQP client and OpenWire protocol. Learn how to mitigate and secure your deployments.

By Edward Zhou October 16, 2025 6 min read
Read full article