Adobe AEM Forms 0-Day Vulnerability Allows Attackers to Run Arbitrary Code

Adobe has released critical security updates for Adobe Experience Manager (AEM) Forms on Java Enterprise Edition following the discovery of two severe vulnerabilities that could enable attackers to execute arbitrary code and read sensitive files from affected systems.

Critical Security Flaws Discovered

Security researchers Shubham Shah and Adam Kues from Assetnote identified two critical vulnerabilities in Adobe’s enterprise content management platform. 

CVE-2025-54253, scoring a maximum 10.0 on the Common Vulnerability Scoring System (CVSS), represents a misconfiguration flaw that enables arbitrary code execution.

The second vulnerability, CVE-2025-54254, carries an 8.6 CVSS score and exploits improper XML External Entity (XXE) reference restrictions to allow unauthorized file system access.

The vulnerabilities affect Adobe Experience Manager Forms on JEE version 6.5.23.0 and all earlier versions across all platforms.

Adobe has confirmed that proof-of-concept exploits for both vulnerabilities are publicly available, significantly increasing the risk of potential attacks.

However, the company stated it has not observed these vulnerabilities being actively exploited in the wild.

Adobe has categorized these updates with Priority 1 status, its highest security rating, emphasizing the urgent need for organizations to apply patches immediately.

The company has released version 6.5.0-0108 as a comprehensive fix for both vulnerabilities, with detailed update instructions available through Adobe’s Experience League documentation.

The CVE-2025-54253 misconfiguration vulnerability poses the most severe threat, enabling remote attackers to execute arbitrary code without requiring authentication or user interaction.

Its CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) indicates network-based attacks with low complexity and high impact on confidentiality, integrity, and availability.

Meanwhile, CVE-2025-54254 exploits XXE vulnerabilities to enable arbitrary file system reads, potentially exposing sensitive configuration files, credentials, and other critical data.

This vulnerability carries the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, indicating high confidentiality impact through network-based attacks.

These vulnerabilities highlight ongoing security challenges in enterprise content management systems, particularly those handling sensitive business data.

Organizations using Adobe AEM Forms should immediately assess their exposure and prioritize patch deployment to prevent potential compromise.

Adobe acknowledged the researchers through its private bug bounty program with HackerOne, demonstrating the company’s commitment to coordinated vulnerability disclosure.

The company continues to accept security research submissions through its invitation-only program, encouraging responsible disclosure of future security issues.

System administrators should implement the security updates immediately and review their AEM Forms configurations to ensure proper security controls are in place.

The availability of public proof-of-concept code makes these vulnerabilities particularly attractive targets for malicious actors.

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free