- Home
- Alerts & Advisories
- Alerts
- Critical Zero-Day Vulnerabilities in Adobe Experience Manager
Alerts
Critical Zero-Day Vulnerabilities in Adobe Experience Manager
8 August 2025
Adobe has released security updates addressing critical zero-day vulnerabilities in its Adobe Experience Manager Forms on Java Enterprise Edition. Users and administrators are advised to update to the latest versions immediately.
Background
Adobe has released security updates addressing critical zero-day vulnerabilities (CVE-2025-54253 and CVE-2025-54254) in its Adobe Experience Manager Forms (AEM Forms) on Java Enterprise Edition (JEE).
Impact
The vulnerabilities are:
CVE-2025-54253: Successful exploitation of this misconfiguration vulnerability could allow an attacker to perform remote code execution. This vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 10 out of 10.
CVE-2025-54254: Successful exploitation of this improper restriction of XML External Entity Reference ('XXE') vulnerability could allow an attacker to access sensitive files on the local file system.
Known Exploitation
Adobe is aware that proofs-of-concept for these vulnerabilities exist in the wild.
As of 15 October 2025, CVE-2025-54253 has been confirmed to be actively exploited.
Affected Products
The vulnerabilities affect AEM Forms on JEE Versions 6.5.23.0 and earlier.
Recommendations
Users and administrators of affected products are advised to update to the latest versions immediately.
References
https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html
https://nvd.nist.gov/vuln/detail/CVE-2025-54253