Introduction: what’s the problem?
CISA has added CVE-2025-54253—a maximum-severity (CVSS 10.0) flaw in Adobe Experience Manager (AEM) Forms on JEE—to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation. Adobe fixed the issue with an out-of-band update in early August 2025, but many environments remain exposed. The vulnerability stems from a misconfiguration that enables pre-authentication remote code execution (RCE) via OGNL evaluation, and it shipped alongside a related XXE issue (CVE-2025-54254, CVSS 8.6).
In brief
- Impacted product: Adobe AEM Forms on JEE up to 6.5.23.0 (fixed in 6.5.0-0108 hotfix).
- CVE: CVE-2025-54253 (CVSS 10.0, RCE), plus CVE-2025-54254 (CVSS 8.6, XXE / file read).
- Status: Added to CISA KEV on Oct 15, 2025 → exploitation observed. Federal agencies must remediate on deadline; all orgs urged to patch.
- Exploit: Public PoC existed when Adobe shipped the fix.
Context / history / connections
Adobe shipped an out-of-band bulletin (APSB25-82) on Aug 5, 2025 after researchers (Assetnote/Searchlight Cyber) disclosed technical details and PoCs. Two days later, industry trackers and vendors echoed the urgency. On Oct 15, 2025, CISA formally placed CVE-2025-54253 into KEV, indicating observed exploitation and triggering remediation timelines for U.S. federal agencies. SecurityWeek summarized the development on Oct 16, 2025.
Technical analysis / details of the vulnerability
Researchers describe CVE-2025-54253 as a pre-auth chain: an authentication bypass combined with Apache Struts “development mode” left enabled for the AEM admin UI. That setup allows an attacker to craft requests that evaluate OGNL expressions, a classic Struts hazard, and then use known sandbox bypasses to achieve RCE. Adobe’s bulletin labels it a misconfiguration but confirms critical impact; the companion CVE-2025-54254 is an XXE that enables arbitrary file reads. Fixed builds: AEM Forms on JEE 6.5.0-0108.
Additional identifiers and scoring from NVD confirm the scope change and no-interaction attack characteristics typical of high-impact pre-auth RCE.
Likely indicators & attack surface
- Access to
/adminui/debugor Struts dev-mode endpoints and parameters carrying OGNL payloads. (Multiple practitioner writeups highlight this vector.) - Sudden child processes from the AEM Forms Java process (e.g.,
cmd.exe,/bin/sh) after HTTP hits on admin UI paths. (Inference based on typical OGNL-to-RCE behavior corroborated by public writeups.)
Practical consequences / risks
- Unauthenticated RCE on AEM Forms servers → potential full host takeover, web shell deployment, lateral movement, and data theft.
- Compliance & availability risks for organizations using AEM Forms for regulated workflows (government, finance, healthcare).
- Rapid weaponization risk due to public PoCs and now-confirmed exploitation.
Operational recommendations / what to do next
- Patch immediately.
- Upgrade AEM Forms on JEE to the Aug 2025 hotfix (6.5.0-0108) or later; apply all mitigations in APSB25-82 and Adobe’s follow-up hardening guide.
- Contain internet exposure.
- Until patched, block external access to AEM admin and Forms endpoints; restrict to admin networks/VPN; place behind strong auth and IP ACLs. (This aligns with researcher guidance and Adobe docs.)
- Hunt for compromise (30–90 days lookback).
- Scan logs for requests to
/adminui/debugand other Struts dev-mode artifacts; look for OGNL-like patterns and suspicious 500s followed by process spawns. - Check for unexpected JSP/Java class files, cron/Task Scheduler entries, modified
web.xml, or new admin users.
- Scan logs for requests to
- WAF & virtual patching.
- Add rules to block OGNL tokens and known dev-mode params; strip or reject suspicious debug parameters until fully remediated. (Temporary—not a substitute for patching.)
- Asset inventory & version verification.
- Inventory all AEM Forms on JEE instances; confirm versions ≤ 6.5.23.0 and prioritize patching those first.
- XXE hardening for CVE-2025-54254.
- Apply the same APSB25-82 hotfix and Adobe’s XXE mitigation guidance; search logs for unexpected file read errors/exfil hints.
- Compliance with KEV deadlines.
- U.S. federal agencies must meet BOD 22-01 timelines; private orgs should mirror the urgency.
Differences / comparisons with other cases
This incident rhymes with historic Apache Struts OGNL disasters (e.g., the well-known 2017 Struts2 RCE used in major breaches): leaving dev mode or OGNL-reachable paths exposed typically leads to pre-auth code execution. The twist here is AEM Forms-specific admin UI plus an auth bypass that makes exploitation single-request trivial when dev mode is on—hence CVSS 10.0 and rapid weaponization once PoCs went public.
Summary / key takeaways
- CVE-2025-54253 (CVSS 10.0) in AEM Forms on JEE is actively exploited; it enables pre-auth RCE via OGNL if Struts dev mode is exposed.
- Adobe fixed it in 6.5.0-0108 on Aug 5, 2025; CISA KEV (Oct 15, 2025) confirms attacks in the wild.
- Patch now, restrict exposure, hunt for
/adminui/debugaccess and post-exploitation traces, and apply XXE mitigations for CVE-2025-54254.
Sources / bibliography
- CISA — “CISA Adds One Known Exploited Vulnerability to Catalog” (Oct 15, 2025). (CISA)
- CISA KEV Catalog — Entry for CVE-2025-54253. (CISA)
- Adobe APSB25-82 — Security update for AEM Forms (Aug 5, 2025). (Adobe Help Center)
- Searchlight Cyber research — Struts dev-mode & pre-auth chain write-up (Jul 29, 2025). (Searchlight Cyber)
- SecurityWeek — “Organizations Warned of Exploited Adobe AEM Forms Vulnerability” (Oct 16, 2025). (SecurityWeek)
- NVD — CVE-2025-54253 details & metrics. (NVD)
