The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that a maximum-severity vulnerability in Adobe Experience Manager (AEM) is currently being exploited by attackers to execute code on unpatched systems.
Identified as CVE-2025-54253, the flaw arises from a misconfiguration in AEM Forms running on JEE versions 6.5.23 and earlier, and is rated with a CVSS score of 10.0. If successfully exploited, unauthenticated threat actors can bypass security controls and execute arbitrary code remotely. The attacks are low-complexity and do not require user interaction.
As of now, there is no certainty on how this vulnerability is being exploited in real-world attack attempts, but Adobe has acknowledged in their advisory that, “CVE-2025-54253 and CVE-2025-54254 have a publicly available proof-of-concept.”
Discovery and Timeline
The vulnerability was uncovered by Adam Kues and Shubham Shah of Searchlight Cyber, who reported it to Adobe on April 28th alongside two additional issues (CVE-2025-54254 and CVE-2025-49533). Initially, Adobe patched only CVE-2025-49533 in April, leaving the other two unresolved for over three months. Public write-ups detailing the flaws and their exploitation were released on July 29th.
Adobe released updates on August 9th to address CVE-2025-54253, confirming that proof-of-concept exploit code had already been made publicly available.
Mechanics of the Flaw
Although Adobe classifies CVE-2025-54253 primarily as a misconfiguration, Searchlight Cyber highlights that the flaw involves an authentication bypass, coupled with the Struts development mode remaining enabled in the admin UI.
According to FireCompass, “The flaw results from the dangerously exposed /adminui/debug servlet, which evaluates user-supplied OGNL expressions as Java code without requiring authentication or input validation. The endpoint’s misuse enables attackers to execute arbitrary system commands with a single crafted HTTP request.”
Scope, Risk, and CISA Directive
CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog. Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies address identified vulnerabilities by the specified deadline to safeguard their networks from active threats.
While BOD 22-01 is aimed at U.S. federal agencies, CISA emphasized that all organizations (including private-sector companies) should prioritize patching to defend against active exploitation.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable,” CISA stated.
The Big Picture
CVE-2025-54253 underscores the risks posed by misconfigurations in widely used enterprise software and the urgency of timely patch management. Organizations running Adobe Experience Manager Forms should immediately verify whether systems are updated and restrict Internet access until mitigations are applied. Active exploits and public proof-of-concept code heighten the threat, making prompt action essential to prevent unauthorized remote code execution.
