CVE-2025-54253: Critical Adobe Experience Manager Vulnerability Actively Exploited

A critical vulnerability, CVE-2025-54253, has recently been exploited in Adobe Experience Manager (AEM), drawing urgent attention from security agencies. This flaw affects organizations relying on AEM Forms and highlights the risk posed by unpatched enterprise systems. Let’s unpack what this means and what you need to do now.

What Is CVE-2025-54253?

CVE-2025-54253 is a maximum-severity (CVSS 10.0) flaw in Adobe Experience Manager (AEM). The flaw stems from a misconfiguration in AEM’s Struts2 DevMode, specifically involving the exposed /adminui/debug servlet. This component evaluates user-supplied OGNL expressions as Java code – without requiring authentication or input validation.

In simpler terms, this opens a path for unauthenticated attackers to execute arbitrary commands remotely, potentially taking full control of vulnerable systems.

Details of CVE-2025-54253 (SOCRadar Vulnerability Intelligence)

Which AEM Versions Are Affected?

The vulnerability affects AEM Forms on JEE versions 6.5.23.0 and earlier.

How Was the Vulnerability Discovered?

Security researchers from Searchlight Cyber initially uncovered the issue in April 2025, alongside two other security vulnerabilities (CVE-2025-54254 and CVE-2025-49533). While Adobe first patched CVE-2025-49533, the remaining flaws were fixed with an August 2025 advisory. By that time, a public Proof-of-Concept (PoC) exploit had already surfaced online.

How Are Threat Actors Exploiting This Flaw?

CISA’s inclusion of CVE-2025-54253 in its Known Exploited Vulnerabilities (KEV) Catalog on October 15, 2025, reflects confirmed real-world exploitation.

The vulnerability’s exploitation requires no user interaction and involves low attack complexity, making it especially dangerous. Malicious actors can send a single crafted HTTP request to trigger Remote Code Execution (RCE), granting them system-level access on affected servers.

Though technical details of active exploitation remain limited, the exposure of a PoC significantly increases the likelihood of automated attacks targeting unpatched AEM instances accessible over the internet.

CISA demands that affected federal agencies patch CVE-2025-54253 by November 5, 2025, under Binding Operational Directive (BOD) 22-01. The agency also urges all other organizations to act quickly, warning that unpatched systems remain open to attacks.

What Should Organizations Do to Mitigate the Risk?

Adobe released a patch for this flaw in AEM 6.5.0-0108. Organizations using affected versions should:

• Upgrade immediately to the latest version of AEM Forms on JEE.
• Restrict internet access to AEM Forms if patching is delayed, especially when running as a standalone application.
• Monitor for suspicious HTTP requests targeting the /adminui/debugendpoint.
• Review system logs for anomalous Java process execution or unexpected configuration changes.

SOCRadar’s Vulnerability Intelligence

The SOCRadar Cyber Threat Intelligence module helps organizations track the latest CVEs, Proof-of-Concept (PoC) exploits, and more in real time. It gives security teams the context they need to prioritize patches and understand emerging risks before they become incidents.

Complementing this, the Attack Surface Management (ASM) module continuously maps exposed assets and outdated technologies, reducing the chances of overlooked vulnerabilities.

Discover how SOCRadar can support faster, evidence-driven vulnerability management through its solutions.