Critical Zero-Day Vulnerabilities in Adobe Experience Manager

8 August 2025

Adobe has released security updates addressing critical zero-day vulnerabilities in its Adobe Experience Manager Forms on Java Enterprise Edition. Users and administrators are advised to update to the latest versions immediately.

Background

Adobe has released security updates addressing critical zero-day vulnerabilities (CVE-2025-54253 and CVE-2025-54254) in its Adobe Experience Manager Forms (AEM Forms) on Java Enterprise Edition (JEE).

Impact

The vulnerabilities are:

CVE-2025-54253: Successful exploitation of this misconfiguration vulnerability could allow an attacker to perform remote code execution. This vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 10 out of 10.
CVE-2025-54254: Successful exploitation of this improper restriction of XML External Entity Reference ('XXE') vulnerability could allow an attacker to access sensitive files on the local file system.

Known Exploitation

Adobe is aware that proofs-of-concept for these vulnerabilities exist in the wild.

Affected Products

The vulnerabilities affect AEM Forms on JEE Versions 6.5.23.0 and earlier.

Recommendations

Users and administrators of affected products are advised to update to the latest versions immediately.

References

https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html

https://experienceleague.adobe.com/en/docs/experience-manager-65/content/forms/troubleshooting/mitigating-xxe-and-configuration-vulnerabilities-for-experience-manager-forms-jee

https://nvd.nist.gov/vuln/detail/CVE-2025-54253

https://nvd.nist.gov/vuln/detail/CVE-2025-54254

https://www.securityweek.com/adobe-issues-out-of-band-patches-for-aem-forms-vulnerabilities-with-public-poc/

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Critical Zero-Day Vulnerabilities in Adobe Experience Manager

Reach us