CVSS 10 flaw in Adobe Experience Manager Forms is being exploited — what you need to know and do now

NEWS

Introduction: what’s the problem?

A critical misconfiguration vulnerability in Adobe Experience Manager (AEM) Forms on JEE, tracked as CVE-2025-54253 and rated CVSS 10.0, is being actively exploited in the wild. The flaw enables pre-authentication compromise of AEM Forms servers and can lead to remote code execution (RCE). Adobe released fixes in an out-of-band update on August 5, 2025, but subsequent reporting and a CISA Known Exploited Vulnerabilities (KEV) entry confirm ongoing exploitation, making timely patching and hardening urgent.

In brief

  • CVE: CVE-2025-54253 (AEM Forms on JEE)
  • Impact: Pre-auth attack path to RCE via insecure configuration pathway; maximum severity (CVSS 10.0).
  • Status: Exploited in the wild; CISA added it to KEV in mid-October 2025.
  • Patch released: Aug 5, 2025 (APSB25-82), alongside a related XXE read issue (CVE-2025-54254, CVSS 8.6).
  • Who’s affected: Organizations running AEM 6.5 Forms on JEE, Service Pack 23 (6.5.23.0) and earlier.

Context, history, and connections

Adobe pushed multiple AEM Forms fixes across July–August 2025, culminating in APSB25-82 which addressed CVE-2025-54253 (misconfiguration → RCE) and CVE-2025-54254 (XXE → arbitrary file read). Security research also highlighted an additional RCE (CVE-2025-49533) and warned that some deployments exposed Struts “development mode” features or unsafe request paths in administrative components—conditions that dramatically reduce the bar for pre-auth exploitation. The KEV listing in October 2025 indicates confirmed exploitation, moving the issue from “patch soon” to “patch now”.

Technical analysis / vulnerability details

Root cause & pre-auth vector

  • CVE-2025-54253 is described by Adobe as a configuration security issue in AEM Forms on JEE that can lead to arbitrary code execution when left unremediated. Adobe’s mitigation guidance and community research tie the attack path to admin UI components and unsafe framework settings (e.g., Struts dev mode) that allow attackers to reach sensitive execution paths without authentication.

Affected versions

  • AEM 6.5 Forms on JEE SP23 (6.5.23.0) and earlier are explicitly called out in Adobe’s docs as vulnerable to the issues addressed in August 2025.

Related issues shipped together

  • CVE-2025-54254 (XXE, CVSS 8.6) can enable arbitrary file read via the Document Security module—often used in tandem by attackers to aid RCE chaining or data theft.
  • CVE-2025-49533 (RCE) is a separate AEM Forms bug (GetDocumentServlet) that Adobe also documented with mitigations; while distinct, organizations frequently patch these in the same maintenance window.

Exploit status & indicators

  • Public PoC existed by early August; KEV addition in mid-October signals confirmed exploitation. Expect exploitation attempts against internet-exposed AEM Forms endpoints, probing for admin UI paths or dev-mode behaviors.

Practical consequences / business risk

  • Full server takeover (RCE) of AEM Forms nodes handling sensitive workflows (e-sign, document generation, citizen or customer forms) can expose PII, contracts, financial records, and credentials, and enable lateral movement into backend systems integrated through AEM (CRM, ERP, identity providers).
  • Compliance & uptime: Data exposure can trigger reportable incidents under GDPR/CCPA and force emergency downtime to rebuild compromised stacks.
  • Threat outlook: With the flaw in KEV and PoC available, opportunistic scanning and ransomware affiliates are likely to include AEM Forms in mass-exploitation runs.

Operational recommendations: what to do next

1) Patch immediately

  • Apply APSB25-82 (released Aug 5, 2025) to all AEM 6.5 Forms on JEE instances. Confirm the environment is at or beyond the fixed build/service pack level recommended by Adobe.

2) Apply Adobe’s hardening guidance

  • Follow Adobe’s “Mitigating XXE, Struts Dev Mode & configuration vulnerabilities” and RCE mitigation guides:
    • Ensure Struts dev mode is disabled everywhere.
    • Validate servlet/filter mappings; restrict or remove risky endpoints.
    • Lock down the Document Security module configuration.

3) Restrict exposure

  • Do not expose AEM Forms admin or management endpoints to the internet. Place AEM Forms behind WAF/VPN, enforce mTLS where feasible, and restrict by source IP. (General best practice given the exploit class.)

4) Detection & response

  • Hunt web/access logs for:
    • Requests to admin UI or Struts-related paths from unknown IPs
    • Suspicious parameters indicative of template/OGNL injection attempts
    • Unexpected child processes, Java runtime exec calls, or JSP/servlet drops in AEM directories
  • If compromise is suspected: isolate, acquire forensics, rotate secrets/tokens, and rebuild from known-good media.

5) Validate third-party integrations

  • Review downstream systems (e-sign providers, storage, identity) for abuse tokens or anomalous transactions post-patch.

6) Track KEV deadlines

  • U.S. FCEB agencies must patch by early November 2025 per KEV listing; private sector should track the same urgency and treat this as an emergency change window.

Differences / comparison with related AEM Forms cases

  • CVE-2025-54253 (CVSS 10): Pre-auth RCE via misconfiguration/Struts dev mode pathway — actively exploited.
  • CVE-2025-54254 (CVSS 8.6): XXE enabling arbitrary file read — often used for reconnaissance/credential harvesting but not necessarily RCE by itself.
  • CVE-2025-49533 (RCE): Separate servlet-level RCE; important to patch but distinct from the dev-mode misconfiguration exploited in CVE-2025-54253.

Summary / key takeaways

  • CVE-2025-54253 in AEM Forms on JEE is critical (CVSS 10) and exploited; treat as an incident-level risk until patched and hardened.
  • Patch (APSB25-82) and disable Struts dev mode / lock down admin components per Adobe guidance.
  • Expect internet-wide scanning and opportunistic exploitation; implement network controls, monitor for exploit indicators, and prepare IR playbooks.

Sources / bibliography

  1. Adobe Security Bulletin APSB25-82 — “Security update available for Adobe AEM Forms on JEE” (Aug 5, 2025). (Adobe Help Center)
  2. Adobe Experience League — “Mitigating XXE, Struts Dev Mode configuration vulnerabilities for AEM Forms on JEE.” (Experience League)
  3. Adobe Experience League — “Mitigating Remote Code Execution Vulnerability for AEM Forms on JEE (CVE-2025-49533).” (Experience League)
  4. SecurityWeek — “Organizations Warned of Exploited Adobe AEM Forms Vulnerability.” (Oct 2025). (SecurityWeek)
  5. The Hacker News — “CISA flags Adobe AEM flaw with perfect 10.0 score — already under active attack.” (Oct 16, 2025). (The Hacker News)

Related Posts