Open Nav
Sign Up

Adobe Patches Critical Experience Manager Flaws (CVE-2025-54253 & CVE-2025-54254)

CVE-2025-54253

Filip Dimitrov

August 6, 2025

On August 5, 2025, Adobe released APSB25-82 to patch two critical zero-day vulnerabilities in Adobe Experience Manager (AEM) Forms on JEE (≤ 6.5.23.0). Both flaws have public proof-of-concept exploits but no active in-the-wild abuses reported to date. Immediate action is required to prevent remote compromise of AEM instances. 

  • CVE-2025-54253 – CVSS 3.1: 10.0 (Critical)
  • CVE-2025-54254 – CVSS 3.1: 8.6 (High)

Technical Details

CVE-2025-54253: Misconfiguration RCE

AEM Forms on JEE left a Struts2 development mode misconfiguration enabled, allowing unauthenticated attackers to inject and execute OGNL expressions via debug parameters in HTTP requests.
.
The vulnerability can be exploited remotely over the network without any user interaction.

Public exploit chain was disclosed on July 29, 2025.

CVE-2025-54254: XML External Entity (XXE)

An XXE flaw in the SOAP-based authentication service permits attackers to craft malicious XML with external entity references, reading arbitrary local files (e.g., configuration or credential stores).

The vulnerability can be exploited without any user interaction by delivering a malicious, attacker-controlled XML payload.

Attack Scenario

Reconnaissance:
Attacker identifies an internet-facing AEM Forms endpoint (versions ≤ 6.5.23).

Weaponization:

  • For XXE: craft XML payload referencing local file URIs.
  • For RCE: embed OGNL payload in Struts2 debug parameter.

Delivery:
Submit HTTP(S) requests to vulnerable AEM endpoint.

Execution & Exfiltration:

  • XXE: Receive contents of sensitive files (e.g., /etc/passwd, SSL keys).
  • RCE: Execute system commands to install backdoors or pivot deeper into the network.

Indicators of Compromise (IoCs)

IndicatorDescription
Unusual SOAP/HTTP requestsRequests containing `<!ENTITY` declarations or `debug=”xwork.MethodAccessor.denyMethodExecution=false”`
Server logs showing accessEntries showing access to `/adminui/` or SOAP endpoints from non-admin IPs
Unexpected file read errorsAEM log errors referencing sensitive file paths


Mitigation & Recommendations

  1. Patch Immediately by updating AEM Forms on JEE to version 6.5.0-0108 or later (APSB25-82). See more info about patching here.

  2. Implement network controls, such as restricting access to AEM admin and SOAP interfaces via VPN or IP whitelisting. Deploy a Web Application Firewall (WAF) with rules to block XXE payloads and suspicious Struts2 debug parameters.
  3. Harden your configuration by disabling Struts2 development mode in production configurations. Also disable XML external entities processing in all XML parsers handling untrusted input.
  4. To detect and monitor potential compromise attempts, implement SIEM rules to alert on payload patterns (<!ENTITY%, OGNL). Regularly review AEM audit logs for anomalous requests.

Stay Safe. Stay Secure

OP Innovate Research Team

Under Cyber Attack?

Fill out the form and we will contact you immediately.