CISA Flags Adobe AEM Flaw

Oct 16, 2025Ravie LakshmananVulnerability / Data Security

CISA Flags Adobe AEM Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added[1] a critical security flaw impacting Adobe Experience Manager to its Known Exploited Vulnerabilities (KEV[2]) catalog, based on evidence of active exploitation.

The vulnerability in question is CVE-2025-54253 (CVSS score: 10.0), a maximum-severity misconfiguration bug that could result in arbitrary code execution.

According to Adobe, the shortcoming impacts[3] Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier. It was addressed in version 6.5.0-0108 released early August 2025, alongside CVE-2025-54254 (CVSS score: 8.6).

The flaw results from the dangerously exposed /adminui/debug servlet, which evaluates user-supplied OGNL expressions as Java code without requiring authentication or input validation,” security company FireCompass noted[4]. “The endpoint’s misuse enables attackers to execute arbitrary system commands with a single crafted HTTP request.”

CIS Build Kits

There is currently no information publicly available on how the security flaw is being exploited in real-world attacks, although Adobe acknowledged in its advisory that “CVE-2025-54253 and CVE-2025-54254 have a publicly available proof-of-concept.”

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are advised to apply the necessary fixes by November 5, 2025.

The development comes a day after CISA also added[5] a critical improper authentication vulnerability in SKYSEA Client View (CVE-2016-7836, CVSS score: 9.8) to the KEV catalog. Japan Vulnerability Notes (JVN), in an advisory released[6] in late 2016, said “attacks exploiting this vulnerability have been observed in the wild.”

“SKYSEA Client View contains an improper authentication vulnerability that allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program,” the agency said.

References

  1. ^ added (www.cisa.gov)
  2. ^ KEV (www.cisa.gov)
  3. ^ impacts (helpx.adobe.com)
  4. ^ noted (firecompass.com)
  5. ^ added (www.cisa.gov)
  6. ^ released (jvn.jp)

By admin