Urgent: CISA Warns of Active Attacks on Critical Adobe Flaw
▼ Summary
– CISA warns attackers are actively exploiting a maximum-severity vulnerability (CVE-2025-54253) in Adobe Experience Manager Forms on JEE versions 6.5.23 and earlier.
– This critical flaw allows unauthenticated threat actors to bypass security and execute arbitrary code remotely without user interaction in low-complexity attacks.
– Researchers discovered and disclosed the vulnerability to Adobe in April, but it remained unpatched for over 90 days until they published exploit details in late July.
– Adobe released security updates on August 9th after proof-of-concept exploit code became publicly available, and CISA added it to its Known Exploited Vulnerabilities Catalog.
– Federal agencies must patch by November 5th per CISA’s directive, while all organizations are urged to prioritize mitigation due to active exploitation risks.
A critical security alert has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) regarding active exploitation of a maximum-severity vulnerability in Adobe Experience Manager. This flaw enables attackers to run malicious code on systems that have not yet been updated with the necessary security patches.
Identified as CVE-2025-54253, the issue is a misconfiguration weakness impacting Adobe Experience Manager Forms on JEE, specifically versions 6.5.23 and older. Unauthenticated attackers can leverage this vulnerability to bypass security controls and execute remote code. These attacks are considered low-complexity and do not require any action from users to succeed.
Security researchers Adam Kues and Shubham Shah from Searchlight Cyber discovered this flaw and reported it to Adobe on April 28, along with two additional security issues (CVE-2025-54254 and CVE-2025-49533). While Adobe addressed one of the vulnerabilities in April, the other two remained unpatched for more than 90 days. The researchers published a detailed technical analysis on July 29, explaining how these vulnerabilities could be exploited.
Adobe released security updates addressing CVE-2025-54253 on August 9, acknowledging that proof-of-concept exploit code was already publicly accessible. According to Searchlight Cyber, this vulnerability functions as an authentication bypass that leads to remote code execution through Struts DevMode. The researchers recommended that administrators who cannot immediately apply the patch should restrict internet access to AEM Forms when it is deployed as a standalone application.
CISA has now included this vulnerability in its Known Exploited Vulnerabilities Catalog. Federal Civilian Executive Branch agencies are required to secure their systems by November 5, giving them a three-week window to comply with Binding Operational Directive 22-01. Although this directive applies specifically to federal agencies, CISA strongly advises all organizations, including private sector companies, to prioritize patching this vulnerability due to ongoing attacks in the wild.
In its advisory, CISA urged administrators to apply vendor-provided mitigations, follow BOD 22-01 guidance for cloud services, or discontinue using the product if no mitigations are available. The agency emphasized that such vulnerabilities are commonly used by malicious actors and represent a serious risk to organizational security.
(Source: Bleeping Computer)
