Organizations Warned of Exploited Adobe AEM Forms Vulnerability

Organizations Warned of Exploited Adobe AEM Forms Vulnerability

Posted on By CWS

The US cybersecurity company CISA on Wednesday warned {that a} latest Adobe Expertise Supervisor Types (AEM Types) vulnerability has been exploited in assaults.

Tracked as CVE-2025-54253 (CVSS rating of 10.0), the flaw was patched in early August with an out-of-band replace, as a proof-of-concept (PoC) exploit had already been public.

AEM Types is an answer designed for creating, managing, and publishing digital varieties and paperwork. Described as a misconfiguration concern, the safety defect might be exploited for arbitrary code execution.

Shubham Shah and Adam Kues of Searchlight Cyber, who found the safety gap, mentioned it was a mixture of authentication bypass and the Struts improvement mode for the admin UI being left enabled.

An attacker may craft a payload to execute Object-Graph Navigation Language (OGNL) expressions and will use public sandbox bypasses to attain distant code execution, the researchers mentioned.

Adobe addressed the vulnerability in AEM Types on Java Enterprise Version (JEE) model 6.5.0-0108, which additionally addressed CVE-2025-54254 (CVSS rating of 8.6), an improper restriction of XML Exterior Entity reference concern resulting in arbitrary file system learn.

“Adobe is conscious that CVE-2025-54253 and CVE-2025-54254 have a publicly out there proof-of-concept,” the corporate warned in August, urging prospects to replace their deployments as quickly as doable.

On Wednesday, CISA added CVE-2025-54253 to its Recognized Exploited Vulnerabilities (KEV) catalog, warning of its in-the-wild exploitation, with out offering info on the noticed assaults.Commercial. Scroll to proceed studying.

As mandated by Binding Operational Directive (BOD) 22-01, federal businesses got three weeks to establish susceptible AEM Types installations of their environments and apply the out there patches.

Whereas BOD 22-01 solely applies to federal businesses, CISA recommends that each one organizations apply patches for the vulnerabilities described within the KEV record.

This week, Adobe launched patches for over 35 safety defects in its merchandise, together with a critical-severity concern within the Join collaboration suite.

Associated: Adobe Patches Important ColdFusion and Commerce Vulnerabilities

Associated: Microsoft Patches 173 Vulnerabilities, Together with Exploited Home windows Flaws

Associated: ICS Patch Tuesday: Fixes Introduced by Siemens, Schneider, Rockwell, ABB, Phoenix Contact

Associated: Fortra GoAnywhere MFT Zero-Day Exploited in Ransomware Assaults

Security Week News Tags:, , , , , ,

Related Posts

ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Aveva, Phoenix Contact ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Aveva, Phoenix Contact Security Week News
JetStream Debuts with M to Enhance AI Security JetStream Debuts with $34M to Enhance AI Security Security Week News
Patch Bypassed for Supermicro Vulnerability Allowing BMC Hack Patch Bypassed for Supermicro Vulnerability Allowing BMC Hack Security Week News
SonicWall Says Recent Attacks Don’t Involve Zero-Day Vulnerability SonicWall Says Recent Attacks Don’t Involve Zero-Day Vulnerability Security Week News
Patient Data Breach at Oncology Institute Confirmed Patient Data Breach at Oncology Institute Confirmed Security Week News
Clover Security Raises Million to Secure Software by Design Clover Security Raises $36 Million to Secure Software by Design Security Week News