The vulnerabilities, identified as CVE-2025-54253 and CVE-2025-54254, have been assigned the highest priority rating by Adobe, with proof-of-concept exploits already publicly available.
Key Takeaways
1. Two vulnerabilities allow code execution and file access without authentication.
2. Proof-of-concept exploits are already available, increasing attack risk.
3. Update AEM Forms JEE immediately.
The more severe vulnerability, CVE-2025-54253, stems from a misconfiguration issue categorized under CWE-16 and carries the maximum CVSS base score of 10.0.
This flaw enables attackers to achieve arbitrary code execution without requiring authentication or user interaction, using the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
The vulnerability’s critical nature lies in its network-accessible attack vector with low complexity requirements, making it particularly dangerous for internet-facing AEM Forms deployments.
The second vulnerability, CVE-2025-54254, involves improper restriction of XML External Entity Reference (XXE) attacks, classified under CWE-611.
With a CVSS score of 8.6 and vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, this flaw allows attackers to perform arbitrary file system reads, potentially exposing sensitive configuration files, credentials, and other confidential data.
Both vulnerabilities affect Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier across all platforms.
Security researchers Shubham Shah and Adam Kues from Assetnote discovered and reported these critical flaws to Adobe through responsible disclosure channels.
| CVE | Title | CVSS 3.1 Score | Severity |
| CVE-2025-54253 | Misconfiguration (CWE-16) – Arbitrary Code Execution | 10.0 | Critical |
| CVE-2025-54254 | XML External Entity Reference (XXE) – Arbitrary File System Read | 8.6 | Critical |
Adobe has confirmed that proof-of-concept exploits for both CVE-2025-54253 and CVE-2025-54254 are publicly available, significantly increasing the risk of active exploitation.
However, the company states it is not currently aware of these vulnerabilities being exploited in the wild.
Organizations running affected AEM Forms installations must immediately update to version 6.5.0-0108, which addresses both security flaws.
Adobe has classified this update with Priority 1 status, indicating the urgent nature of the patch deployment. Detailed update instructions are available through Adobe’s Experience League documentation platform.
The discovery of these zero-day vulnerabilities underscores the critical importance of maintaining current security patches for enterprise content management systems.
Organizations should implement proper network segmentation and access controls while expediting the patching process to prevent potential compromise of their AEM Forms infrastructure.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
The post Adobe AEM Forms 0-Day Vulnerability Let Attackers Execute Arbitrary Code appeared first on Cyber Security News.
Spoilers follow for Star Trek: Starfleet Academy Episode 9. The penultimate episode of Star Trek:…
What a day! We're still bustling through Resident Evil Requiem, Pokopia's out today, and on…
It's now been three months since Elden Ring: Nightreign received its paid Forsaken Hollows DLC,…
Frozen Ever After at Walt Disney World just got a major upgrade as the Audio-Animatronics…
Hot off the zombified heels of Resident Evil Requiem, a brand-new Capcom Spotlight is on…
Pokémon Pokopia features, of all things, a 3D printer. I wasn't sure why this surprised…
This website uses cookies.