CISA Warning: Critical Adobe Flaw Rated 10/10 Under Active Attack

by ddos · October 20, 2025

The U.S. cybersecurity agency CISA has added a critical, actively exploited flaw in Adobe Experience Manager to its Known Exploited Vulnerabilities catalog: a configuration vulnerability, CVE-2025-54253, rated as a CVSS 10, which permits arbitrary code execution. The defect affects AEM Forms on JEE versions 6.5.23.0 and earlier. Adobe addressed the issue in build 6.5.0-0108, released in early August 2025, and simultaneously remediated CVE-2025-54254 (CVSS 8.6).

Adam Kews and Shubham Shah of Searchlight Cyber have detailed how the flaw composes an attack chain that bypasses authentication and achieves remote command execution via the Struts2 framework’s devmode. At the heart of the problem lies an unprotected servlet—/adminui/debug—which accepts user-supplied OGNL expressions and evaluates them as Java code with no authentication or input validation. As FireCompass observed, exploitation can be achieved with a single specially crafted HTTP request.

While the precise tactics used by attackers in live incidents remain undisclosed, Adobe confirmed the existence of publicly available proof-of-concept exploits for both vulnerabilities, markedly lowering the bar for malicious actors. In light of active exploitation, U.S. federal civilian agencies have been mandated to apply the update by 5 November 2025 under CISA’s required mitigation actions.

This advisory arrives alongside another KEV addition: the long-standing CVE-2016-7836 in SKYSEA Client View, a defect that JVN reported was exploited as far back as 2016. That vulnerability, stemming from improper authentication during TCP handling of the management console, likewise permitted remote code execution. The joint inclusion of these flaws underscores CISA’s central message: eliminate unauthenticated access vectors that enable RCE, regardless of when the vulnerability was originally disclosed.

AEM operators should act decisively—verify the precise AEM Forms on JEE version in use, deploy 6.5.0-0108 or a later patch, disable and block access to /adminui/debug, and audit configurations tied to Struts2 devmode and OGNL processing. Special attention must be paid to inventorying Internet-accessible hosts and enforcing strict access controls for administrative interfaces.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal