A new vulnerability in Adobe Experience Manager (AEM) Forms has been confirmed as actively exploited in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as CVE-2025-54253, affects Adobe Experience Manager (AEM) Forms on Java Enterprise Edition (JEE) and was first patched in August 2025.
Misconfiguration Leads to Remote Code Execution
CVE-2025-54253 stems from a misconfiguration in AEM Forms that leaves the Apache Struts framework in “devMode” within the admin interface. This setting, combined with an authentication bypass, allows unauthenticated attackers to execute expressions that Struts evaluates, opening the door to remote code execution (RCE).
The vulnerability can be exploited through low-complexity attacks, requires no user interaction, and impacts AEM Forms versions 6.5.23.0 and earlier. Security researchers identified that the root cause is a failure to properly secure developer mode configurations, which should not be exposed in production environments.
Public Exploits Accelerate the CVE-2025-54253 Threat
Prior to Adobe’s patch release, proof-of-concept (PoC) exploits for both CVE-2025-54253 and a related issue, CVE-2025-54254, were publicly shared. These PoCs likely accelerated exploitation attempts by threat actors. Despite both vulnerabilities being publicly known, only CVE-2025-54253 has so far been added to the KEV catalog.
CISA has not clarified whether attackers are leveraging the public PoC directly or if they have developed their own methods of exploitation. The agency typically does not disclose technical details or attribution when updating the KEV catalog.
Adobe Patch Released in August 2025
Adobe addressed both vulnerabilities on August 5, 2025 through Security Bulletin APSB25-82. The company urged all users of AEM Forms on JEE to upgrade to version 6.5.0-0108 or later. At the time of the advisory, Adobe stated it was not aware of any active exploitation, though that situation has now changed with CISA’s confirmation.
The second vulnerability, CVE-2025-54254, involves an Improper Restriction of XML External Entity Reference (CWE-611), which could allow an arbitrary file system to be read. While critical, it has not yet been confirmed as actively exploited.
Federal Agencies Ordered to Patch by November
CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary updates by November 5, 2025. This directive is part of a broader effort to secure federal networks from known high-risk threats.
The affected vulnerabilities have received critical CVSS base scores:
- CVE-2025-54253 (Incorrect Authorization): CVSS 10.0, enabling arbitrary code execution
- CVE-2025-54254 (XXE Vulnerability): CVSS 8.6, enabling arbitrary file reads
Both vulnerabilities were reported to Adobe by Shubham Shah and Adam Kues of Assetnote, who worked with the vendor to coordinate disclosure and remediation.
While the AEM platform is a key component in digital experience delivery for many enterprises, misconfigurations like this one can introduce risks, particularly when they expose development features in production environments. The combination of Java Enterprise Edition (JEE) complexity and web-accessible admin interfaces increases the attack surface for products like AEM.
System administrators running Adobe Experience Manager Forms on JEE are strongly urged to verify that their systems are not running affected versions and to apply the latest security updates immediately. If immediate patching is not feasible, isolating AEM Forms from internet access, especially when deployed as a standalone service, can serve as a temporary mitigation.
