Adobe has released critical security patches to fix severe vulnerabilities in Adobe Experience Manager (AEM) Forms on JEE, specifically addressing CVE-2025-54253, a maximum-severity arbitrary code execution flaw with a perfect CVSS score of 10.0, and CVE-2025-54254, a critical XML External Entity (XXE) injection vulnerability with a CVSS of 8.6. The patched version 6.5.0-0108 was released in early August 2025 after Searchlight Cyber researchers discovered these vulnerabilities, which exposed the `/adminui/debug` servlet that evaluates user-supplied OGNL expressions without authentication or input validation. Anyone running Adobe Experience Manager Forms on JEE version 6.5.23.0 or earlier is immediately at risk of remote code execution attacks, as these flaws enable unauthenticated attackers to execute arbitrary Java code directly on affected systems.
The severity of this vulnerability cannot be overstated. Unlike typical security patches that address isolated issues, CVE-2025-54253 represents a complete authentication bypass to remote code execution chain via Struts2 devmode, allowing attackers to gain full control of a web server with a single request. For organizations managing customer data, content management workflows, or e-commerce transactions through AEM, this vulnerability creates an immediate threat of data theft, malware injection, or complete infrastructure compromise.
Table of Contents
- What Are the Critical Vulnerabilities Affecting Adobe Experience Manager?
- Technical Details: How the /adminui/debug Servlet Enables Remote Code Execution
- Active Exploitation and the CISA Known Exploited Vulnerabilities Designation
- How to Apply the Security Patch and Update Your Adobe Experience Manager Installation
- Common Misconfigurations and Security Risks in AEM Deployments
- Federal Requirements and Compliance Implications for Government Contractors
- Building Long-Term Security Strategy for Adobe Experience Manager Deployments
- Conclusion
- Frequently Asked Questions
What Are the Critical Vulnerabilities Affecting Adobe Experience Manager?
CVE-2025-54253 is the most severe of the two vulnerabilities, with a perfect CVSS 10.0 rating indicating maximum severity and immediate exploitability. This arbitrary code execution vulnerability allows unauthenticated attackers to execute arbitrary Java code on affected AEM servers by exploiting the exposed debug servlet. CVE-2025-54254, the XXE injection vulnerability rated at CVSS 8.6, allows attackers to read arbitrary files from the file system by manipulating XML input processing. Both vulnerabilities affect adobe Experience Manager Forms on JEE versions 6.5.23.0 and earlier, meaning organizations that haven’t actively updated their AEM installations in recent months are almost certainly vulnerable.
The vulnerabilities were discovered by Searchlight Cyber researchers Adam Kues and Shubham Shah, who disclosed the flaws to Adobe on April 28, 2025. Adobe responded with emergency out-of-band patches released on August 5, 2025, after public proof-of-concept exploits became available. The speed of Adobe’s patch release underscores the urgency of the situation—Adobe prioritized these fixes above its regular quarterly patch schedule because active exploitation was already occurring in the wild. For comparison, most security vulnerabilities take weeks or months to gain public attention and adoption by threat actors. This vulnerability went from public PoC to active exploitation within days.
Technical Details: How the /adminui/debug Servlet Enables Remote Code Execution
The core vulnerability exploits an authentication bypass in the `/adminui/debug` servlet, which is a debugging interface exposed in AEM installations. This servlet processes user input and evaluates OGNL (Object-Graph Navigation Language) expressions as Java code without performing any input validation or requiring authentication. An attacker can craft a malicious HTTP request containing OGNL expressions that execute arbitrary Java methods, read system properties, modify files, or establish reverse shells for persistent access. The vulnerability is particularly dangerous because it requires no special knowledge of the target application—any attacker with network access to the AEM server can exploit it, and the attack leaves minimal forensic evidence if the server’s debug logging isn’t enabled.
The XXE injection vulnerability (CVE-2025-54254) works differently but with equally serious consequences. XML External Entity vulnerabilities allow attackers to define custom entity references that point to sensitive files on the server or internal network resources. By submitting specially crafted XML input to AEM, an attacker can read database configuration files, source code, API keys stored in environment variables, or any other sensitive data accessible to the application process. Unlike the RCE vulnerability, XXE attacks are typically used for reconnaissance and data exfiltration rather than direct system compromise, but they often serve as a stepping stone to other attacks. A critical limitation of patching these vulnerabilities is that organizations cannot simply disable the debug servlet in production environments without creating legitimate debugging and troubleshooting challenges for development teams and Adobe support engineers.
Active Exploitation and the CISA Known Exploited Vulnerabilities Designation
By October 15, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-54253 to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that the vulnerability was actively being exploited in real-world attacks against U.S. government and private sector organizations. This designation is particularly significant because it triggers compliance requirements for federal contractors and indicates that threat actors have moved beyond theoretical exploitation to practical attacks against running systems. CISA subsequently issued an emergency alert requiring all federal civilian executive branch (FCEB) agencies to apply the security fixes by November 5, 2025, giving organizations just three weeks to identify affected systems, test patches, and deploy updates across their infrastructure.
The timeline of exploitation reveals how rapidly these vulnerabilities were weaponized. Initial discovery occurred in July 2025, but the vulnerability chain had likely existed in AEM code for much longer. Public PoC exploits became available around August 5, 2025, and within approximately 70 days, the vulnerability appeared frequently enough in real-world attacks to warrant CISA’s KEV designation. For many organizations, this timeline was catastrophically short. Typical enterprise patch management processes take 30 to 60 days just to test patches in staging environments before production deployment. Organizations that weren’t actively monitoring security mailing lists or had slow patch management processes almost certainly had active compromises occurring on their systems during this window.
How to Apply the Security Patch and Update Your Adobe Experience Manager Installation
Organizations running Adobe Experience Manager Forms on JEE versions 6.5.23.0 or earlier must immediately update to version 6.5.0-0108 or later. Adobe provides the patches through the standard Adobe Security Bulletins and Advisories page at helpx.adobe.com/security/security-bulletin.html. The patching process varies depending on whether your AEM installation is deployed on-premises, on Adobe Managed Services, or in a cloud environment. On-premises installations require downloading the patch from Adobe’s support portal, testing in a non-production environment, and rolling out the update during a maintenance window. Adobe Managed Services customers typically receive patches automatically, but organizations should verify with their Adobe account team that patches have been applied and confirm the current running version.
The tradeoff in emergency patching like this is between speed and thoroughness. Standard patch management practices call for extensive regression testing before production deployment, particularly for critical infrastructure like content management systems that support customer-facing applications. However, with a CVSS 10.0 remote code execution vulnerability actively being exploited, the risk of remaining unpatched far exceeds the risk of potential issues from rapid patching. Organizations should apply patches in this situation even if testing must be abbreviated, focusing regression testing on the specific changes addressed by the patch rather than comprehensive application testing. A practical comparison: if your AEM server is compromised by this vulnerability, recovering from a ransomware attack or data breach will require far more downtime and resources than handling a potential issue introduced by rapid patching.
Common Misconfigurations and Security Risks in AEM Deployments
Many organizations run AEM with the debug interface enabled in production environments, either because they inherited configurations from development systems or because they didn’t realize the security implications of leaving debugging functionality exposed. The `/adminui/debug` servlet should never be accessible from the internet or even from internal networks unless absolutely necessary. Even after applying the security patch, organizations should audit their AEM security configurations to ensure the debug interface is disabled, restricted to specific IP addresses, or removed entirely from production deployments. A critical warning: some organizations disable debugging through configuration management systems but fail to verify that the configuration was actually applied, or they upgrade AEM versions and accidentally inherit default configurations that re-enable debugging. Another common misconfiguration involves XML processing security settings.
The XXE vulnerability can be mitigated not only through patching but also through proper XML parser configuration. However, many AEM administrators are unaware that XML parsers used by Java applications are often configured to process external entities by default. Organizations should implement XML entity expansion limits and disable external entity processing at the application level, even after applying patches. This defense-in-depth approach protects against potential future XXE vulnerabilities and other XML-based attacks. A significant limitation is that implementing these hardening measures requires Java application server expertise and deep understanding of AEM’s XML processing pipeline—many organizations lack this expertise internally and must engage Adobe Professional Services or security consultants to implement these controls properly.
Federal Requirements and Compliance Implications for Government Contractors
The CISA KEV designation and emergency directive requiring federal agencies to patch by November 5, 2025, creates cascading compliance requirements for organizations that contract with the federal government. Any federal contractor, vendor, or service provider that operates AEM systems or processes federal data must also demonstrate compliance with the patching deadline. Failure to patch can result in loss of federal contracts, substantial financial penalties, or criminal liability under the Federal Information Security Modernization Act (FISMA). Organizations should inventory all AEM deployments, identify which systems process federal data or support federal operations, and prioritize patching of those systems to meet the CISA deadline.
Non-federal organizations should also take this deadline seriously as an indicator of severity. When CISA designates a vulnerability for KEV status and issues an emergency directive, it reflects not only government systems but broader real-world exploitation trends. Threat actors prioritize attacks on systems that government agencies consider high-risk, because successful breaches of government contractors often provide pathways to government networks and sensitive data. If your organization uses AEM and handles any sensitive data or supports any mission-critical operations, treating this patch with the same urgency as federal contractors is prudent even if you’re not technically obligated.
Building Long-Term Security Strategy for Adobe Experience Manager Deployments
This vulnerability demonstrates the importance of establishing a proactive security posture for enterprise software like AEM. Rather than treating patches as reactions to discovered vulnerabilities, organizations should implement continuous vulnerability scanning, automated patch management where possible, and regular security audits of AEM configurations. Tools like vulnerability scanners that check AEM deployments against known CVE databases can identify exposure windows before exploits become widely available.
Additionally, organizations should establish security baselines for AEM—documented configurations that represent the minimum-security-acceptable state—and regularly audit production systems against these baselines. The evolving threat landscape around enterprise content management and digital experience platforms suggests that AEM will remain a target for sophisticated threat actors. Organizations that have successfully patched this vulnerability should use this as an opportunity to implement broader security improvements: network segmentation to isolate AEM systems from the public internet, application-layer firewalls to block suspicious XML and OGNL injection attempts, comprehensive logging and monitoring to detect exploitation attempts, and regular security training for teams managing AEM infrastructure. The investment in these improvements pays dividends not only in protecting against future AEM vulnerabilities but in building institutional security maturity that protects all systems and applications.
Conclusion
The Adobe Experience Manager critical security vulnerabilities—CVE-2025-54253 (CVSS 10.0 arbitrary code execution) and CVE-2025-54254 (CVSS 8.6 XXE injection)—represent an immediate and severe threat to any organization running AEM Forms on JEE versions 6.5.23.0 or earlier. These flaws were actively being exploited by threat actors, leading CISA to add them to the Known Exploited Vulnerabilities catalog and issue an emergency directive requiring federal agencies to patch by November 5, 2025. The vulnerabilities exploit an exposed debug servlet that processes user input without authentication or validation, allowing attackers to execute arbitrary code or read sensitive files directly from affected servers.
Organizations must prioritize patching to version 6.5.0-0108 or later immediately, treating this with the same urgency as federal compliance requirements regardless of contractor status. Beyond simply applying patches, teams should audit AEM security configurations to disable debugging functionality in production, implement XML processing restrictions, and establish continuous vulnerability scanning and security monitoring. This incident should serve as a catalyst for building more mature security practices around enterprise content management systems—treating patches as part of a comprehensive security strategy rather than isolated responses to crises.
Frequently Asked Questions
How do I verify if my Adobe Experience Manager installation is vulnerable?
Check your current AEM version by accessing the AEM welcome screen or system console. If you’re running any version 6.5.23.0 or earlier of AEM Forms on JEE, you’re vulnerable. Adobe’s Security Bulletins page at helpx.adobe.com/security/products/aem-forms/apsb25-82.html provides detailed version information and patch details.
What happens if my AEM server is compromised by this vulnerability?
An attacker gains complete code execution on your server with the privileges of the AEM application process. This enables data theft, malware installation, ransomware deployment, lateral movement within your network, or deletion of critical content. Immediate incident response and forensic investigation are required.
Can I disable the /adminui/debug servlet instead of patching?
Disabling the debug servlet provides partial mitigation but is not a substitute for patching. The official Adobe patches address the underlying vulnerability in the servlet code. You should both apply the official patch and disable or restrict access to the debug interface.
Do Adobe Managed Services customers need to do anything?
Adobe Managed Services typically applies patches automatically, but you should contact your Adobe account team to confirm that the AEM patch has been deployed to your environment. Request confirmation of your current running version.
What is OGNL and why does this vulnerability matter?
OGNL (Object-Graph Navigation Language) is a Java expression language that can execute arbitrary Java code. When an application evaluates untrusted OGNL expressions, attackers can invoke methods, access properties, and execute code. This is one of the most dangerous vulnerabilities possible in Java applications.
Does this vulnerability affect Adobe Experience Manager on AEM as a Cloud Service?
This vulnerability primarily affects AEM Forms on JEE deployed on-premises or on Adobe Managed Services. Adobe as a Cloud Service customers should verify with Adobe support, but cloud-hosted instances typically benefit from automatic security updates.
