CISA added CVE-2025-54253, a critical misconfiguration vulnerability in Adobe Experience Manager (AEM) Forms on Java Enterprise Edition (JEE), to its Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. The flaw stems from an improperly enabled Apache Struts 'devMode' in the admin UI, combined with an authentication bypass, allowing unauthenticated attackers to execute arbitrary code remotely via evaluated Struts expressions. Exploitation requires no user interaction and is classified as low-complexity, posing a severe risk to standalone AEM Forms deployments on J2EE-compatible servers like JBoss.Though Adobe patched the vulnerability in August 2025 (alongside CVE-2025-54254, an XXE flaw), a public proof-of-concept (PoC) exploit was released earlier after researchers (Shubham Shah and Adam Kues) disclosed the flaws due to Adobe’s delayed response. The absence of mitigations before the patch led to active exploitation, prompting CISA to mandate Federal Civilian Executive Branch (FCEB) agencies to apply fixes by November 5, 2025. Organizations failing to upgrade to version 6.5.0-0108 or later remain exposed to full system compromise, data breaches, or lateral movement within corporate networks. The vulnerability’s exploitation could enable attackers to deploy malware, steal sensitive data, or disrupt business operations, particularly in enterprises relying on AEM Forms for critical workflows.
TPRM report: https://www.rankiteo.com/company/adobetcs
"id": "ado1392213101625",
"linkid": "adobetcs",
"type": "Vulnerability",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology',
'location': 'Global',
'name': 'Adobe',
'type': 'Software Vendor'},
{'industry': 'Public Sector',
'location': 'United States',
'name': 'Federal Civilian Executive Branch (FCEB) '
'Agencies',
'type': 'Government'},
{'location': 'Global',
'name': 'Organizations using AEM Forms on JEE '
'(versions 6.5.23.0 and earlier)',
'type': ['Private Sector', 'Public Sector']}],
'attack_vector': ['Network',
'Low-Complexity Attack',
'No User Interaction Required'],
'customer_advisories': ['Adobe recommends upgrading to patched versions and '
'restricting access to standalone deployments.'],
'date_resolved': '2025-08-01',
'description': 'CISA has added CVE-2025-54253, a misconfiguration '
'vulnerability in Adobe Experience Manager (AEM) Forms on Java '
'Enterprise Edition (JEE), to its Known Exploited '
'Vulnerabilities (KEV) catalog, warning of detected '
'in-the-wild exploitation. The vulnerability allows remote '
"code execution (RCE) due to an enabled 'devMode' in Apache "
'Struts within the admin UI and an authentication bypass. It '
'affects AEM Forms on JEE versions 6.5.23.0 and earlier. A '
'proof-of-concept (PoC) exploit was publicly released before '
"Adobe's August 2025 patch, increasing the risk of "
'exploitation. CISA has mandated Federal Civilian Executive '
'Branch (FCEB) agencies to patch their systems by November 5, '
'2025.',
'impact': {'systems_affected': ['Adobe Experience Manager (AEM) Forms on JEE '
'(versions 6.5.23.0 and earlier)',
'Standalone deployments on J2EE-compatible '
'servers (e.g., JBoss)']},
'initial_access_broker': {'entry_point': ['Misconfigured Apache Struts '
"'devMode' in AEM Forms admin UI",
'Authentication bypass']},
'investigation_status': 'Ongoing (limited details available; CISA KEV entry '
'lacks attack specifics)',
'lessons_learned': ['Timely patching is critical to prevent exploitation of '
'publicly disclosed vulnerabilities.',
'Restricting internet exposure of vulnerable systems can '
'mitigate risk pre-patch.',
'Public PoC exploits accelerate attacker adoption of '
'vulnerabilities.'],
'post_incident_analysis': {'corrective_actions': ['Patch deployment (AEM '
'Forms 6.5.0-0108+)',
'Restrict internet exposure '
'of vulnerable systems',
'Enhanced monitoring for '
'RCE attempts'],
'root_causes': ['Misconfiguration in AEM Forms '
"(Apache Struts 'devMode' enabled)",
'Lack of authentication '
'enforcement',
'Delayed patching post-PoC '
'release']},
'recommendations': ['Upgrade AEM Forms on JEE to version 6.5.0-0108 or later '
'immediately.',
'Audit and restrict internet-facing deployments of AEM '
'Forms, especially standalone instances on J2EE servers.',
'Monitor for signs of exploitation, such as unauthorized '
'code execution or unusual admin UI activity.',
'Follow CISA directives for FCEB agencies and apply '
'patches by the November 5, 2025 deadline.',
'Implement network segmentation to limit lateral movement '
'if exploitation occurs.'],
'references': [{'source': 'CISA Known Exploited Vulnerabilities (KEV) '
'Catalog'},
{'source': 'Adobe Security Bulletin (August 2025)'},
{'source': 'Researchers Shubham Shah and Adam Kues (PoC '
'Disclosure)'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA KEV catalog '
'inclusion',
'Mandatory patching '
'deadline for FCEB '
'agencies (November 5, '
'2025)']},
'response': {'communication_strategy': ['CISA KEV catalog update',
'Adobe security advisory',
'Public disclosure of PoC exploit by '
'researchers (Shubham Shah, Adam '
'Kues)'],
'containment_measures': ['Restrict internet access to standalone '
'AEM Forms deployments (pre-patch '
'mitigation)'],
'remediation_measures': ['Upgrade to AEM Forms on JEE version '
'6.5.0-0108 or later']},
'stakeholder_advisories': ['CISA patching directive for FCEB agencies',
'Adobe security advisory for customers'],
'title': 'Exploitation of CVE-2025-54253 in Adobe Experience Manager (AEM) '
'Forms on JEE',
'type': ['Vulnerability Exploitation',
'Remote Code Execution (RCE)',
'Misconfiguration'],
'vulnerability_exploited': ['CVE-2025-54253 (Misconfiguration in AEM Forms - '
"Apache Struts 'devMode' enabled + Authentication "
'Bypass)',
'CVE-2025-54254 (Improper Restriction of XML '
'External Entity Reference)']}