The US cybersecurity agency CISA on Wednesday warned that a recent Adobe Experience Manager Forms (AEM Forms) vulnerability has been exploited in attacks.
Tracked as CVE-2025-54253 (CVSS score of 10.0), the flaw was patched in early August with an out-of-band update, as a proof-of-concept (PoC) exploit had already been public.
AEM Forms is a solution designed for creating, managing, and publishing digital forms and documents. Described as a misconfiguration issue, the security defect can be exploited for arbitrary code execution.
Shubham Shah and Adam Kues of Searchlight Cyber, who discovered the security hole, said it was a combination of authentication bypass and the Struts development mode for the admin UI being left enabled.
An attacker could craft a payload to execute Object-Graph Navigation Language (OGNL) expressions and could use public sandbox bypasses to achieve remote code execution, the researchers said.
Adobe addressed the vulnerability in AEM Forms on Java Enterprise Edition (JEE) version 6.5.0-0108, which also addressed CVE-2025-54254 (CVSS score of 8.6), an improper restriction of XML External Entity reference issue leading to arbitrary file system read.
“Adobe is aware that CVE-2025-54253 and CVE-2025-54254 have a publicly available proof-of-concept,” the company warned in August, urging customers to update their deployments as soon as possible.
On Wednesday, CISA added CVE-2025-54253 to its Known Exploited Vulnerabilities (KEV) catalog, warning of its in-the-wild exploitation, without providing information on the observed attacks.
As mandated by Binding Operational Directive (BOD) 22-01, federal agencies were given three weeks to identify vulnerable AEM Forms installations in their environments and apply the available patches.
While BOD 22-01 only applies to federal agencies, CISA recommends that all organizations apply patches for the vulnerabilities described in the KEV list.
This week, Adobe released patches for over 35 security defects in its products, including a critical-severity issue in the Connect collaboration suite.
Related: Adobe Patches Critical ColdFusion and Commerce Vulnerabilities
Related: Microsoft Patches 173 Vulnerabilities, Including Exploited Windows Flaws
Related: ICS Patch Tuesday: Fixes Announced by Siemens, Schneider, Rockwell, ABB, Phoenix Contact
Related: Fortra GoAnywhere MFT Zero-Day Exploited in Ransomware Attacks
