On October 16, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical security vulnerability affecting Adobe Experience Manager (AEM) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Vulnerability Details
The vulnerability, identified as CVE-2025-54253, carries a maximum severity rating with a Common Vulnerability Scoring System (CVSS) score of 10.0. This misconfiguration flaw allows for arbitrary code execution, posing a significant risk to affected systems.
According to Adobe, the issue impacts AEM Forms on JEE versions 6.5.23.0 and earlier. The company addressed this vulnerability in version 6.5.0-0108, released in early August 2025, alongside another related flaw, CVE-2025-54254, which has a CVSS score of 8.6.
Discovery and Technical Insights
Researchers Adam Kues and Shubham Shah from Searchlight Cyber disclosed details of these vulnerabilities in July 2025. They described CVE-2025-54253 as an authentication bypass to [remote code execution] chain via Struts2 devmode and CVE-2025-54254 as an XML external entity (XXE) injection within AEM Forms web services.
The root cause of CVE-2025-54253 lies in the exposed `/adminui/debug` servlet, which evaluates user-supplied Object-Graph Navigation Language (OGNL) expressions as Java code without requiring authentication or input validation. This misconfiguration enables attackers to execute arbitrary system commands through a single crafted HTTP request.
Exploitation and Mitigation
While specific details on the exploitation methods remain undisclosed, Adobe acknowledged the existence of publicly available proof-of-concept exploits for both CVE-2025-54253 and CVE-2025-54254. In response to the active exploitation, CISA has advised Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches by November 5, 2025, to mitigate potential threats.
Broader Context
This development follows CISA’s recent addition of another critical vulnerability to the KEV catalog. On October 15, 2025, the agency included CVE-2016-7836, an improper authentication flaw in SKYSEA Client View with a CVSS score of 9.8. The Japan Vulnerability Notes (JVN) reported that attacks exploiting this vulnerability have been observed in the wild.
Implications for Organizations
The inclusion of CVE-2025-54253 in CISA’s KEV catalog underscores the critical nature of this vulnerability and the importance of prompt remediation. Organizations utilizing Adobe Experience Manager should prioritize updating to the patched version to protect their systems from potential exploitation.
Conclusion
The active exploitation of CVE-2025-54253 highlights the ongoing challenges in cybersecurity, particularly concerning widely used enterprise solutions like Adobe Experience Manager. Timely application of security patches and adherence to best practices are essential in mitigating such risks.
