CISA has warned that attackers are actively exploiting a maximum-severity vulnerability in Adobe Experience Manager to execute code on unpatched systems.
Tracked as CVE-2025-54253, this critical security flaw stems from a misconfiguration weakness that affects Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23 and earlier.
Successful exploitation can allow unauthenticated threat actors to bypass security mechanisms and execute arbitrary code remotely in low-complexity attacks that don’t require user interaction.
The flaw was discovered by Adam Kues and Shubham Shah of Searchlight Cyber, who disclosed it to Adobe on April 28th, together with two other issues (CVE-2025-54254 and CVE-2025-49533).
However, Adobe patched only the latter in April, leaving the other two unfixed for over 90 days, until after the two security researchers published a write-up on July 29th detailing how the vulnerabilities work and how they can be exploited.
Adobe finally released security updates on August 9th to address the CVE-2025-54253 vulnerability, confirming that proof-of-concept exploit code was already publicly available.
As Searchlight Cyber explained, CVE-2025-54253 is an authentication bypass that leads to remote code execution (RCE) via Struts DevMode. The researchers also advised admins to restrict Internet access to AEM Forms when deployed as a standalone application if they can’t immediately patch the software.
CISA has now added this vulnerability to its Known Exploited Vulnerabilities Catalog, giving Federal Civilian Executive Branch (FCEB) agencies three weeks to secure their systems by November 5th, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.
Although BOD 22-01 targets U.S. federal agencies, the cybersecurity agency encouraged all organizations, including those in the private sector, to prioritize patching their systems against this actively exploited flaw as soon as possible.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable,” CISA warned on Wednesday.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” it added.
Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation.
Don’t miss the event that will shape the future of your security strategy
