Adobe on Tuesday launched out-of-band safety updates that handle two severe vulnerabilities in Adobe Expertise Supervisor Varieties (AEM Varieties) on Java Enterprise Version (JEE) for which public exploit code exists.
The 2 flaws are tracked as CVE-2025-54253 (CVSS rating of 10.0) and CVE-2025-54254 (CVSS rating of 8.6) and will be exploited to execute arbitrary code or learn arbitrary information on the system.
“Adobe is conscious that CVE-2025-54253 and CVE-2025-54254 have a publicly obtainable proof-of-concept. Adobe isn’t conscious of those points being exploited within the wild,” the corporate notes in its advisory.
Crediting Shubham Shah and Adam Kues of Assetnote (which was acquired by Searchlight Cyber in January 2025) for reporting the vulnerabilities, Adobe urges prospects to use the newly launched hotfixes that resolve each flaws.
Whereas Adobe merely describes CVE-2025-54253 as a misconfiguration problem, Searchlight Cyber explains that it combines an authentication bypass with the Struts growth mode for the admin UI being left enabled.
This mixture allowed the safety researchers to craft a payload resulting in the execution of Object-Graph Navigation Language (OGNL) expressions.
“It’s trivial to escalate this to distant command execution via the numerous public sandbox bypasses obtainable. In our case, we have been coping with a relatively complicated WAF, and for the reason that payload was throughout the GET request’s first line part, we needed to be considerably inventive to realize RCE,” Searchlight Cyber says.
CVE-2025-54254, described as an improper restriction of XML Exterior Entity Reference (XXE) defect, exists as a result of an authentication mechanism in AEM Varieties loaded an XML doc insecurely, thus being exploitable with out authentication.Commercial. Scroll to proceed studying.
Searchlight Cyber reported the 2 points to Adobe in April, together with CVE-2025-49533 (CVSS rating of 9.8) a critical-severity deserialization of untrusted information vulnerability that was resolved as a part of Adobe’s July 2025 safety updates.
On July 29, consistent with its 90-day disclosure coverage, Searchlight Cyber launched technical data and proof-of-concept (PoC) code focusing on all three safety defects, urging customers to limit entry to AEM Varieties in standalone deployments.
“All of the vulnerabilities we’ve disclosed in AEM Varieties are usually not complicated,” Searchlight says. “As a substitute, these points are what we’d anticipate to have been found years in the past. Beforehand referred to as LiveCycle, this product line has been in use by enterprises for nearly 20 years. That raises the query of why these easy vulnerabilities had not been caught by others or fastened by Adobe.”
Associated: Adobe Patches Crucial Code Execution Bugs
Associated: Rowhammer Assault Demonstrated In opposition to Nvidia GPU
Associated: Crimson Teaming AI: The Construct Vs Purchase Debate
Associated: SecurityWeek Cyber Insights 2024 Collection
