Adobe AEM CVE-2025-54253 Vulnerability Exploited in the Wild

Overview

On October 15, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) classified a maximum-severity vulnerability in Adobe Experience Manager (AEM) Forms on JEE as actively exploited, due to the flaw's capability for authentication bypass and arbitrary code execution (CVSS score: 10.0). Tracked as CVE-2025-54253, this misconfiguration exposed millions of enterprise and government deployments to direct compromise. Adobe has patched the issue, but given a working public exploit and evidence of widespread targeting, organizations are urged to urgently update all affected systems.

Background / Context

Adobe Experience Manager is a leading enterprise content management and workflow platform, extensively used by government, media, banking, and Fortune 500 companies for digital assets and forms automation. Previous AEM vulnerabilities have posed risks, but CVE-2025-54253 is unprecedented, enabling remote attackers to fully override system controls. This flaw specifically impacts versions 6.5.23.0 and earlier of AEM Forms on JEE.

Timeline of Events

July 2025	Vulnerability disclosed by Searchlight Cyber researchers
Aug 2025	Adobe releases patch for CVE-2025-54253 (v6.5.0-0108)
Oct 2025	Active exploitation detected, proof-of-concept published
Oct 15, 2025	CISA adds CVE-2025-54253 to KEV catalog
Nov 5, 2025	Agencies mandated to patch affected systems

Technical Details of the Breach

• Attack Vector: Authentication bypass chained to remote code execution via Struts2 devmode, accessible via /adminui/debug servlet.


• Vulnerabilities Exploited: CVE-2025-54253 (RCE via OGNL injection) and CVE-2025-54254 (XXE injection).


• Systems Affected: AEM Forms on JEE v6.5.23.0 and earlier.


• Persistence: Full compromise possible; arbitrary command execution enabled.


• IOCs: Requests toward /adminui/debug, OGNL payloads, unauthorized commands.

Impact Assessment

1. Millions of enterprise/government users affected.
2. Financial exposure: tens of millions in losses and fines.
3. Potential full system compromise with service disruption.
4. Strict patch compliance mandated by November 2025.

Response and Mitigation

• Adobe released critical updates in August 2025.
• CISA and JVN issued advisories highlighting exploitation.
• Organizations urged to upgrade to v6.5.0-0108 or newer.
• Ongoing monitoring for debug servlet access recommended.

Attribution

Exploitation is opportunistic and widespread with no single group identified; FireCompass confirmed active global scanning.

Expert Commentary

Security researchers from Searchlight Cyber, FireCompass, and Adobe Security urged mandatory updates and endpoint validation across AEM deployments.

Lessons Learned / Recommendations

• Patch and validate all servlet endpoints immediately.
• Enforce MFA on admin interfaces and monitor admin/debug access.
• Perform routine middleware vulnerability scanning and code review.

References

• The Hacker News, “CISA Flags Adobe AEM Flaw with Perfect 10.0 Score” (Oct 2025).
• Adobe Security Advisory (Aug 2025).
• CISA KEV Catalog and JVN advisories.