Urgent Patch: Critical Flaws in Adobe Experience Manager Allow Remote Takeover
Adobe has issued an out-of-band security update for its Adobe Experience Manager (AEM) Forms platform on Java EE, following the public disclosure of an exploit chain that enables unauthenticated remote code execution on vulnerable system instances.
The vulnerabilities, identified as CVE-2025-54253 and CVE-2025-54254, have both been rated critical and impact all production deployments of AEM Forms.
The first flaw — CVE-2025-54253 (CVSS score: 8.6) — stems from a misconfiguration in which the Struts2 development mode is inadvertently left enabled. This oversight permits attackers to leverage OGNL expression injection through debug parameters embedded in HTTP requests, effectively granting access to the administrative interface without requiring authentication.
The second vulnerability — CVE-2025-54254 (CVSS score: 10.0) — affects the SOAP authentication component, which lacks proper safeguards against XML External Entity (XXE) injection. Maliciously crafted XML documents can be submitted to coerce the system into disclosing sensitive local files, such as Windows configuration data or critical system parameters.
A third issue, previously addressed on August 5, is tracked as CVE-2025-49533 (CVSS score: 9.8). It resides within the FormServer module and arises from the insecure deserialization of user-supplied data. In the absence of validation checks, an attacker can deliver a malicious payload that the server processes automatically, opening the door to full system compromise.
All three vulnerabilities were uncovered by researchers at Searchlight Cyber, who reported the findings to Adobe on April 28. However, only one was patched within a reasonable timeframe. After a three-month wait, the researchers notified Adobe of their intention to publish a full technical breakdown, which was released on July 29.
Despite the public disclosure, Adobe did not issue patches for the remaining flaws until several days later. As a precautionary measure, security experts strongly urge administrators to apply the latest patches and hotfixes without delay. If immediate patching is not feasible, isolating AEM Forms from external networks is advised to mitigate risk.
Of particular concern is the fact that all three vulnerabilities enable unauthenticated remote code execution, rendering them ideal entry points for targeted attacks against organizations relying on Adobe Experience Manager. The severity is further compounded by the platform’s widespread use across government, corporate, and financial sectors — environments where a breach could result in the exposure of confidential data and the complete loss of control over critical digital assets.