New Vulnerability Discovered in Adobe Experience Manager Forms
A recently identified vulnerability in Adobe Experience Manager (AEM) Forms has been confirmed as actively exploited, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to include it in its Known Exploited Vulnerabilities (KEV) catalog. This security flaw, designated CVE-2025-54253, affects AEM Forms running on Java Enterprise Edition (JEE) and was initially patched in August 2025.
How a Misconfiguration Enables Remote Code Execution
The vulnerability CVE-2025-54253 arises from a misconfiguration within AEM Forms, specifically leaving the Apache Struts framework in a “devMode” state in the admin interface. This setting, coupled with an authentication bypass, allows unauthorized attackers to run expressions that Struts evaluates, leading to potential remote code execution (RCE).
The ease of exploitation is concerning; the vulnerability can be targeted with low-complexity attacks and does not require any user interaction. It particularly impacts AEM Forms versions 6.5.23.0 and earlier. Security experts point out that the primary issue is failing to adequately secure developer mode configurations that should be restricted in production settings.
Public Proof-of-Concept Exploits Fueling the Threat
Before Adobe released its patch, public proof-of-concept (PoC) exploits for CVE-2025-54253, along with a related vulnerability identified as CVE-2025-54254, were made available online. These PoCs have likely hastened exploitation attempts from cybercriminals. Although both vulnerabilities have been disclosed, only CVE-2025-54253 has made it to the KEV catalog so far.
CISA has not specified whether the attacks are utilizing the public PoCs directly or if threat actors are creating their own techniques for exploitation. Typically, the agency doesn’t reveal technical specifics or attribution when providing updates to the KEV catalog.
Adobe’s Response to the Vulnerability
Adobe acted on August 5, 2025, addressing both vulnerabilities via Security Bulletin APSB25-82. They encouraged all users of AEM Forms on JEE to update to version 6.5.0-0108 or later. Initially, Adobe claimed there were no active exploits known, a situation that has since changed with CISA’s recent acknowledgment of ongoing exploitation.
The additional vulnerability, CVE-2025-54254, which involves improper restrictions of XML External Entity References (CWE-611), could allow unauthorized access to the file system. Although deemed critical, this vulnerability has not yet been confirmed to be actively exploited in the wild.
Urgent Patch Mandate from CISA for Federal Agencies
CISA has issued a directive mandating that Federal Civilian Executive Branch (FCEB) agencies must implement the necessary updates by November 5, 2025. This requirement is part of a larger initiative to secure federal networks against recognized high-risk threats.
Both vulnerabilities have received critical CVSS base scores:
- CVE-2025-54253 (Incorrect Authorization): CVSS 10.0, allowing arbitrary code execution.
- CVE-2025-54254 (XXE Vulnerability): CVSS 8.6, enabling unauthorized file reads.
The vulnerabilities were disclosed to Adobe by security researchers Shubham Shah and Adam Kues from Assetnote, who collaborated with the company on remediation efforts.
The Implications of Misconfigurations in AEM
The AEM platform is essential for digital experience delivery across many organizations. However, misconfigurations like this one can pose significant risks, especially when development features are exposed in production environments. The complexity of Java Enterprise Edition (JEE) combined with web-accessible admin interfaces increases the vulnerability surface for products like AEM.
System administrators using Adobe Experience Manager Forms on JEE must ensure that their systems are no longer running the affected versions and should apply the latest security updates immediately. When immediate patching isn’t an option, isolating AEM Forms from internet access—particularly if deployed as a standalone service—can serve as a temporary mitigation measure.
