CISA has issued a serious warning about a newly discovered security flaw in Adobe Experience Manager (AEM). The vulnerability, tracked as CVE-2025-54253, has received a perfect CVSS severity score of 10.0 and is already being actively exploited by attackers. Due to the high risk it poses to organizations worldwide, CISA has officially added it to its Known Exploited Vulnerabilities (KEV) Catalog.
This vulnerability allows attackers to execute arbitrary code on AEM servers, potentially giving them full control over affected systems. Since Adobe Experience Manager is widely used by large enterprises, governments, banks, and global brands to manage websites and digital forms, this threat has critical consequences for data privacy and system security.
According to Adobe, CVE-2025-54253 is a misconfiguration vulnerability affecting Adobe Experience Manager (AEM) Forms on JEE, version 6.5.23.0 and earlier. It was patched in version 6.5.0-0108, released in August 2025.
Security researchers Adam Kues and Shubham Shah of Searchlight Cyber first disclosed details of this flaw in July 2025. They described it as an:
“Authentication bypass to remote code execution chain via Struts2 devmode”
In simple terms, attackers can exploit this vulnerability without needing a password or valid login. Once they find a vulnerable system, they can run their own commands and take full control of the AEM server.
The vulnerability exists in an exposed servlet endpoint located at:
/adminui/debug
This endpoint is part of the AEM admin environment and is not supposed to be publicly accessible. However, in many cases, organizations unknowingly leave it open to the internet.
Security company FireCompass explained that this endpoint evaluates user-controlled OGNL expressions as Java code without requiring any authentication. That means an attacker can send a single malicious HTTP request to execute system-level commands on the server.
Why this is dangerous:
Remote code execution is possible
Exploit works over a single HTTP request
Gives full server control
Can be used to install malware or steal data
Proof-of-Concept (PoC) exploit already exists publicly
Adobe has already confirmed that proof-of-concept exploit code is publicly available, making it easier for attackers and cybercriminal groups to exploit vulnerable servers.
Along with CVE-2025-54253, Adobe also patched a second serious flaw — CVE-2025-54254. This vulnerability is rated 8.6 (High Severity) and exists in AEM Forms web services.
It is classified as an XML External Entity (XXE) Injection issue. If exploited, it could allow attackers to:
Access sensitive internal files
Read configuration files
Retrieve credentials
Attack internal systems through SSRF (Server-Side Request Forgery)
Together, both vulnerabilities create a high-risk situation for AEM customers, especially those who have not installed the latest update.
Because attackers are already exploiting CVE-2025-54253, CISA has ordered all Federal Civilian Executive Branch (FCEB) agencies to patch the vulnerability before November 5, 2025.
CISA’s alert emphasizes:
“These vulnerabilities put critical systems at immediate risk and must be remediated on priority.”
Although this directive is only mandatory for U.S. government agencies, private businesses and global organizations using Adobe Experience Manager are also strongly advised to update immediately.
AEM is a powerful web content and digital experience management system widely used by:
Government websites
Insurance and banking portals
E-commerce brands
Healthcare companies
Universities and telecoms
Because AEM integrates with customer data and backend services, it is a high-value target for attackers looking to:
Steal customer records
Deploy ransomware
Install web skimmers
Carry out supply chain attacks
Move deeper into corporate networks
Just a day before adding the Adobe AEM flaw to its KEV list, CISA flagged another critical vulnerability — CVE-2016-7836 affecting SKYSEA Client View, a Japanese IT monitoring software. This flaw, with a CVSS score of 9.8, allows remote code execution due to improper authentication handling.
According to Japan Vulnerability Notes (JVN), real-world attacks have been observed using this exploit since 2016, further highlighting that old vulnerabilities continue to be weaponized by attackers when systems are not patched.
If your organization uses Adobe Experience Manager (AEM) Forms on JEE, act immediately:
Security Checklist
Install AEM patch version 6.5.0-0108 or later
Restrict public access to /adminui/debug
Limit exposure of AEM management interfaces
Use Web Application Firewall (WAF) rules to block exploit attempts
Monitor server logs for suspicious OGNL expressions
Conduct an emergency vulnerability scan
The discovery and active exploitation of CVE-2025-54253 is a serious cybersecurity risk. Adobe has released fixes, but many organizations may still be unaware and exposed. Since a public exploit exists, attackers are likely scanning the internet for vulnerable systems right now.
Businesses and government agencies must install updates immediately and review their security posture to prevent intrusion through Adobe Experience Manager.
Interesting Article : Oracle E-Business Suite Bug CVE-2025-61884 Allows Data Theft Without Login
Pingback: Microsoft WSUS Under Attack: CVE-2025-59287 Exploited in the Wild