Adobe AEM Forms Patch: Critical Flaws (CVE-2025-54253, CVSS 10.0) Allow RCE & Arbitrary File Read, Public PoCs Available
Do Son 
Adobe has released urgent patches for two critical vulnerabilities affecting Adobe Experience Manager (AEM) Forms on JEE, versions 6.5.23.0 and earlier. The flaws β tracked as CVE-2025-54253 and CVE-2025-54254 β carry CVSS base scores of 10.0 and 8.6, respectively, making them high-priority risks for enterprise environments.
While Adobe has confirmed the availability of public proof-of-concept (PoC) exploits, the company says it is not yet aware of any exploitation in the wild.
The first vulnerability, tracked as CVE-2025-54253 (CVSS 10), allows for arbitrary code execution on affected systems due to misconfigurations in AEM Forms on JEE.
βAn attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed,β reads the CVE description.
The severity score of 10.0 indicates maximum impact, and its exploitability without user interaction makes it especially dangerous for internet-facing or internal AEM instances.
The second flaw, tracked as CVE-2025-54254 (CVSS 8.6), is caused by improper restriction of XML external entity (XXE) references, potentially enabling attackers to read arbitrary files from the local file system.
βAn attacker could exploit this vulnerability to access sensitive files on the local file system. Exploitation of this issue does not require user interaction,β reads the CVE description.
XXE attacks are often used to leak server-side credentials, config files, or sensitive data, and can even act as pivot points for deeper infiltration into networked systems.
Adobe categorizes the update with priority rating 1, the highest urgency. Organizations using affected AEM versions should immediately update to the latest secure build (version 6.5.0-0108 or later).
Related Posts:
- Fake ‘Adobe Drive X’ App Sneaks Through Microsoft Login to Steal Credentials
- Adobe’s Critical Response: Patching the CVE-2023-50164 Vulnerability in AEM Forms
- Adobe released security update to address multiple security vulnerabilities
- Adobe releases the security updates to fix Remote Code Execution/Arbitrary file deletion in multi products
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
