CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack

Steven

CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack

Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-54253 — a maximum-severity (CVSS 10.0) misconfiguration in Adobe Experience Manager (AEM) Forms on JEE — to its Known Exploited Vulnerabilities (KEV) catalogue after evidence of active exploitation. Adobe fixed the issue in AEM version 6.5.0-0108 (early August 2025). The bug permits pre-auth remote code execution via an exposed /adminui/debug endpoint that evaluates OGNL expressions, and a related XXE flaw (CVE-2025-54254) was also disclosed.

Key Points

  • CISA added CVE-2025-54253 to the KEV catalogue due to active exploitation; CVSS score is 10.0.
  • Affected: Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier; patched in 6.5.0-0108.
  • Root cause: exposed /adminui/debug servlet that evaluates user-supplied OGNL expressions without authentication, enabling pre-auth RCE.
  • Researchers (Searchlight Cyber) and security firms (FireCompass) disclosed technical details; a public proof-of-concept exists.
  • Federal Civilian Executive Branch agencies were told to apply fixes by 5 November 2025; organisations should prioritise patching immediately.

Content summary

Searchlight Cyber researchers described CVE-2025-54253 as an authentication-bypass chaining into remote code execution via Struts2 devmode; CVE-2025-54254 is an XML external entity (XXE) issue in AEM Forms web services. The exposed debug servlet evaluates OGNL as Java code with no authentication or input validation, so an attacker can run system commands with a single crafted HTTP request. Adobe acknowledges public proof-of-concept code exists and released a patch in August 2025. CISA’s KEV listing follows observable exploitation and accompanies broader recent KEV additions for other critical products.

Context and Relevance

This is a high-impact, high-probability vulnerability: AEM is widely used for websites and forms, and an unauthenticated RCE in a management endpoint is an attractive target for attackers. The addition to CISA’s KEV catalogue signals active exploitation and forces public-sector urgency — private sector organisations using AEM Forms should treat it the same. It also fits the ongoing trend of critical server-side and supply-chain flaws being weaponised quickly after disclosure.

Immediate actions and mitigations

  • Apply Adobe’s patch (6.5.0-0108 or later) immediately on affected installations.
  • If patching can’t be immediate, restrict network access to the AEM admin interfaces, block /adminui/debug or remove access to devmode endpoints, and enforce WAF rules to detect OGNL payloads.
  • Check logs and indicators of compromise for suspicious HTTP requests against admin endpoints and investigate unknown processes or web shells.
  • Follow vendor advisories and CISA guidance; prioritise systems used by high-value services or that are internet-facing.

Why should I read this?

Short answer: if you run AEM Forms or host AEM publicly, this is a big deal — attackers are already using it. Patch now, or at least lock down the admin endpoints and hunt for signs of compromise. We’ve done the legwork so you know exactly what to act on.

Source

Source: https://thehackernews.com/2025/10/cisa-flags-adobe-aem-flaw-with-perfect.html