Exploit Alert: Critical Adobe Experience Manager Flaw (CVE-2025-54253)
▼ Summary
– CISA added CVE-2025-54253, a misconfiguration vulnerability in Adobe Experience Manager Forms on JEE, to its Known Exploited Vulnerabilities catalog due to active exploitation.
– The vulnerability enables unauthenticated attackers to achieve remote code execution by exploiting an enabled Apache Struts “devMode” and authentication bypass in the admin UI.
– Adobe fixed CVE-2025-54253 and CVE-2025-54254 in August 2025, but a public proof-of-concept exploit existed before the patch, increasing the risk of attacks.
– Researchers advised users to restrict internet access to standalone AEM Forms deployments or upgrade to version 6.5.0-0108 or later to mitigate the vulnerability.
– CISA has mandated Federal Civilian Executive Branch agencies to patch their systems against this vulnerability by November 5, 2025.
A critical security flaw within Adobe Experience Manager Forms has been officially flagged by the Cybersecurity and Infrastructure Security Agency (CISA) due to active exploitation in real-world attacks. CVE-2025-54253, a misconfiguration vulnerability affecting AEM Forms on Java Enterprise Edition, enables unauthenticated attackers to execute remote code on vulnerable systems. Although Adobe released patches for this issue and a related XML External Entity flaw (CVE-2025-54254) back in August 2025, public proof-of-concept exploits surfaced beforehand, giving threat actors a clear path to weaponize the weaknesses.
It remains unclear why only CVE-2025-54253 has been placed on CISA’s Known Exploited Vulnerabilities catalog, and whether attackers are directly using the available exploit code. The agency’s catalog does not provide specific details about ongoing attacks, leaving some questions unanswered for defenders.
The vulnerability stems from Apache Struts “devMode” being left active in the administrative interface, combined with an authentication bypass. This dangerous combination permits unauthenticated remote attackers to submit expressions that the Struts framework will execute, potentially leading to full system compromise. Exploitation is considered low-complexity and does not require any interaction from users.
Affected software includes Adobe Experience Manager Forms on JEE versions 6.5.23.0 and earlier. Researchers Shubham Shah and Adam Kues, who originally discovered and reported the flaws, noted that these security issues mainly impact standalone deployments of AEM Forms on J2EE-compatible application servers like JBoss. When Adobe did not provide fixes within a 90-day disclosure window, the researchers publicly released a proof-of-concept exploit.
At that time, with no patch available, their primary recommendation was for organizations to block internet access to standalone AEM Forms instances. Now that patches have been available for several months and active exploitation is confirmed, the urgent guidance is to upgrade to AEM Forms version 6.5.0-0108 or later immediately.
CISA has mandated that all Federal Civilian Executive Branch agencies apply the necessary updates by November 5, 2025, to protect their networks. All other organizations using this software are strongly encouraged to patch without delay to prevent potential breaches.
(Source: HelpNet Security)
