Adobe AEM flaw

Adobe AEM flaw added to CISA KEV (CVSS 10.0)

CISA added CVE-2025-54253 to its KEV catalogue, citing active exploitation. The bug impacts Adobe Experience Manager (AEM) Forms on JEE ≤ 6.5.23.0 and was fixed in 6.5.0-0108 (August 2025). Researchers describe it as an authentication bypass to RCE chain via an exposed /adminui/debug servlet evaluating OGNL expressions, enabling unauthenticated command execution. A related flaw CVE-2025-54254 (XXE) was also patched. U.S. federal agencies must remediate by 5 Nov 2025. Proof-of-concept code exists; exploitation details remain sparse.

Adobe AEM bug gets a perfect 10—and attackers noticed.

If your marketing stack includes Adobe Experience Manager (AEM) Forms on JEE, stop reading this on public Wi-Fi. CISA has dropped CVE-2025-54253 (CVSS 10.0) into the Known Exploited Vulnerabilities list after spotting active attacks. Fixed in 6.5.0-0108, the issue lets unauthenticated users hit /adminui/debug and get the server to execute OGNL as Java code. In plain English: one HTTP request, remote code execution, sad faces all round. A related XXE issue (CVE-2025-54254) was patched at the same time.

Researchers say the vulnerable endpoint was a bit too helpful for developers and ended up helpful for everyone else too. Proof-of-concept code is public, which means opportunistic scanning won’t be far behind.

What to do (yesterday):
• Patch to 6.5.0-0108 (or newer) immediately.
• Restrict /adminui/ paths; put AEM admin behind VPN/allow-lists.
• Review logs for odd /adminui/debug requests and command execution artefacts.
• Rotate credentials, check outbound egress, and watch for webshells.

Deadlines: U.S. federal agencies have until 5 November 2025 to comply—take that as a hint for your own change board. This is one of those rare “perfect 10” days you definitely don’t want to celebrate. Patch first; coffee later.