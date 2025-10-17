The Cybersecurity and Infrastructure Security Agency (CISA) added a maximum severity Adobe Experience Management (AEM) Forms vulnerability to its catalog of Known Exploited Vulnerabilities (KEV) Wednesday.

The vulnerability, tracked as CVE-2025-54253 , is a misconfiguration flaw in AEM Forms on Java Enterprise Edition (JEE) that allows authentication bypass and remote code execution (RCE). The vulnerability was first patched and assigned a CVE on Aug. 5, 2025, and has a CVSS score of 10.0.

The flaw was reported to Adobe by Shubham Shah and Adam Kues of Searchlight Cyber in late April 2025, who published technical details about CVE-2025-54253 and two other AEM Forms flaws on July 29, 2025, after 90 days had passed since their initial report.

“While Adobe has addressed the vulnerabilities with updates, nearly three months passed from initial detection to patch implementation. At that point, proof-of-concept exploit code was already available, which means threat actors are armed and ready to take advantage of the vulnerability right now,” Nick Tausek, lead security automation architect at Swimlane, told SC Media in an email.

The authentication bypass flaw stems from a weak security filter in front of administrator endpoints that allows requests to pass if certain substrings, such as “login.”, are included in the URL. RCE can then be achieved due to the fact that Struts2 developer mode was left enabled, making it possible for OGNL expressions to be executed.

CVE-2025-54253 impacts AEM Forms on JEE instances that are exposed to the internet and are running version 6.5.23.0 or earlier. The vulnerability was patched in version 6.5.0-0108.

Due to active exploitation of the vulnerability, federal civilian executive branch (FCEB) agencies are required to patch their systems by Nov. 5, 2025.

“While these government agencies typically utilize Adobe Experience Manager (AEM) for website management, it’s often connected to internal databases, identity management systems, or cloud infrastructure like AWS or Azure. Access to these deeper networks could grant attacker access to sensitive information like social security numbers, internal communications, or authentication tokens,” Tausek noted.