CISA warns that attackers are actively exploiting a maximum-severity vulnerability in Adobe Experience Manager to execute code on unpatched systems.
tracked as CVE-2025-54253This critical security flaw arises from a misconfiguration vulnerability that affects Adobe Experience Manager (AEM) forms in JEE version 6.5.23 and earlier.
Successful exploitation could allow unauthenticated threat actors to bypass security mechanisms and remotely execute arbitrary code in low-complexity attacks that do not require user interaction.
The flaw was discovered by Adam Kues and Shubham Shah of Searchlight Cyber, who disclosed it to Adobe on April 28 along with two other issues (CVE-2025-54254 and CVE-2025-49533).
However, Adobe patched only the latter in April, leaving the other two unchanged for more than 90 days, until two security researchers published a. write up On July 29, it was explained in detail how the vulnerabilities work and how they can be exploited.
Adobe finally released a security update on August 9 to address the CVE-2025-54253 vulnerability, confirming that proof-of-concept exploit code was already publicly available.
As Searchlight Cyber explained, CVE-2025-54253 is an authentication bypass that leads to remote code execution (RCE) via Struts devmod. The researchers also advised administrators to restrict Internet access to AEM forms when deployed as a standalone application if they cannot patch the software immediately.
CISA now has This vulnerability was added for this List of known exploited vulnerabilitiesAccording to Order Binding Operational Directive (BOD) 22-01 issued in November 2021, Federal Civil Executive Branch (FCEB) agencies have been given three weeks to secure their systems until November 5.
Although BOD 22-01 targets US federal agencies, the cybersecurity agency encouraged all organizations, including the private sector, to prioritize patching their systems against this actively exploited flaw as quickly as possible.
“Apply mitigations according to vendor instructions, follow BOD 22-01 guidance applicable to cloud services, or discontinue use of the product if mitigations are not available.” CISA warned On Wednesday.
“These types of vulnerabilities are a persistent attack vehicle for malicious cyber actors and pose significant risks to the federal enterprise,” it was added,
attend Breach and Attack Simulation Summit and experience future of security verificationHear from top experts and see how AI-powered BAS Changing breach and attack simulations.
Don’t miss the event that will shape the future of your security strategy
