Adobe patches critical Adobe Experience Manager Forms vulnerabilities with public PoC

Adobe has released an emergency security update for Adobe Experience Manager Forms on Java Enterprise Edition (JEE), which fix two critical vulnerabilities (CVE-2025-54253, CVE-2025-54254) with a publicly available proof-of-concept (PoC) exploit.

Details about the flaws have been public for days, and attackers may soon try their hand at exploiting them.

About the vulnerabilities

Shubham Shah and Adam Kues, with Searchlight Cyber’s Research Team, found three critical vulnerabilities in Adobe Experience Manager Forms earlier this year and reported it to Adobe:

“Adobe Experience Manager Forms can be deployed in two different ways: either it is co-deployed with your standard AEM installation, or it is deployed standalone on a J2EE-compatible server. The vulnerabilities [we found] are primarily applicable to standalone deployments of AEM Forms via a J2EE-compatible server such as JBoss,” Shah and Kues explained.

While Adobe is not aware of these two vulnerabilities being exploited in the wild, it urges admins to install the update as soon as possible. (More details on how to do it are available here.)

If the security update can’t be implemented at this time, Searchlight Cyber researchers have advised organizations using AEM Forms in standalone mode to restrict access to the application to internal users/networks only.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!