On August 5, 2025, Adobe released APSB25-82 to patch two critical zero-day vulnerabilities in Adobe Experience Manager (AEM) Forms on JEE (≤ 6.5.23.0). Both flaws have public proof-of-concept exploits but no active in-the-wild abuses reported to date. Immediate action is required to prevent remote compromise of AEM instances.
- CVE-2025-54253 – CVSS 3.1: 10.0 (Critical)
- CVE-2025-54254 – CVSS 3.1: 8.6 (High)
Technical Details
CVE-2025-54253: Misconfiguration RCE
AEM Forms on JEE left a Struts2 development mode misconfiguration enabled, allowing unauthenticated attackers to inject and execute OGNL expressions via debug parameters in HTTP requests.
.
The vulnerability can be exploited remotely over the network without any user interaction.
Public exploit chain was disclosed on July 29, 2025.
CVE-2025-54254: XML External Entity (XXE)
An XXE flaw in the SOAP-based authentication service permits attackers to craft malicious XML with external entity references, reading arbitrary local files (e.g., configuration or credential stores).
The vulnerability can be exploited without any user interaction by delivering a malicious, attacker-controlled XML payload.
Attack Scenario
Reconnaissance:
Attacker identifies an internet-facing AEM Forms endpoint (versions ≤ 6.5.23).
Weaponization:
- For XXE: craft XML payload referencing local file URIs.
- For RCE: embed OGNL payload in Struts2 debug parameter.
Delivery:
Submit HTTP(S) requests to vulnerable AEM endpoint.
Execution & Exfiltration:
- XXE: Receive contents of sensitive files (e.g., /etc/passwd, SSL keys).
- RCE: Execute system commands to install backdoors or pivot deeper into the network.
Indicators of Compromise (IoCs)
Indicator | Description |
Unusual SOAP/HTTP requests | Requests containing `<!ENTITY` declarations or `debug=”xwork.MethodAccessor.denyMethodExecution=false”` |
Server logs showing access | Entries showing access to `/adminui/` or SOAP endpoints from non-admin IPs |
Unexpected file read errors | AEM log errors referencing sensitive file paths |
Mitigation & Recommendations
- Patch Immediately by updating AEM Forms on JEE to version 6.5.0-0108 or later (APSB25-82). See more info about patching here.
- Implement network controls, such as restricting access to AEM admin and SOAP interfaces via VPN or IP whitelisting. Deploy a Web Application Firewall (WAF) with rules to block XXE payloads and suspicious Struts2 debug parameters.
- Harden your configuration by disabling Struts2 development mode in production configurations. Also disable XML external entities processing in all XML parsers handling untrusted input.
- To detect and monitor potential compromise attempts, implement SIEM rules to alert on payload patterns (<!ENTITY%, OGNL). Regularly review AEM audit logs for anomalous requests.
Stay Safe. Stay Secure
OP Innovate Research Team