CISA has added CVE-2025-54253, a misconfiguration vulnerability in Adobe Experience Manager (AEM) Forms on Java Enterprise Edition (JEE), to its Known Exploited Vulnerabilities catalog, thus warning of detected in-the-wild exploitation.
Adobe fixed the vulnerability in August 2025, along with CVE-2025-54254, an Improper Restriction of XML External Entity Reference vulnerability in the same solution.
But with a proof-of-concept (PoC) exploit for the two flaws having been made public before that, it was only a matter of time until attackers would try to leverage them.
That said, it’s currently unkown why only CVE-2025-54253 has been added to the KEV catalog and whether the attackers have used the public PoC exploit as a starting point for their own. CISA, unfortunately, does not include any information about the attack(s) into the KEV catalog.
CVE-2025-54253 allows remote code execution
CVE-2025-54253 is a misconfiguration in AEM Forms that leaves Apache Struts “devMode” enabled in the admin UI, and an authentication bypass. It lets unauthenticated attackers run expressions that the Struts framework will evaluate, and can lead to remote code execution. 
It can be exploited in low-complexity attacks that require no user interaction.
The vulnerability affects Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier.
Shubham Shah and Adam Kues, the researchers who reported the two flaws and published the PoC exploit when Adobe failed to address them within 90 days, previously explained that Adobe Experience Manager Forms can be either co-deployed with the standard AEM installation or deployed standalone on a J2EE-compatible server.
“The vulnerabilities [we found] are primarily applicable to standalone deployments of AEM Forms via a J2EE-compatible server such as JBoss,” they said.
Since a patch wasn’t available at the time, they advised users to restrict access to Adobe Experience Manager Forms from the internet when deployed as a standalone application.
But with fixes available for a couple of months now and in light of the confirmation of in-the-wild exploitation, users should upgrade to version 6.5.0-0108 or later as soon as possible.
CISA has ordered Federal Civilian Executive Branch (FCEB) agencies to patch their systems by November 5, 2025.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
