The US cybersecurity company CISA on Wednesday warned {that a} latest Adobe Expertise Supervisor Types (AEM Types) vulnerability has been exploited in assaults.
Tracked as CVE-2025-54253 (CVSS rating of 10.0), the flaw was patched in early August with an out-of-band replace, as a proof-of-concept (PoC) exploit had already been public.
AEM Types is an answer designed for creating, managing, and publishing digital varieties and paperwork. Described as a misconfiguration concern, the safety defect might be exploited for arbitrary code execution.
Shubham Shah and Adam Kues of Searchlight Cyber, who found the safety gap, mentioned it was a mixture of authentication bypass and the Struts improvement mode for the admin UI being left enabled.
An attacker may craft a payload to execute Object-Graph Navigation Language (OGNL) expressions and will use public sandbox bypasses to attain distant code execution, the researchers mentioned.
Adobe addressed the vulnerability in AEM Types on Java Enterprise Version (JEE) model 6.5.0-0108, which additionally addressed CVE-2025-54254 (CVSS rating of 8.6), an improper restriction of XML Exterior Entity reference concern resulting in arbitrary file system learn.
“Adobe is conscious that CVE-2025-54253 and CVE-2025-54254 have a publicly out there proof-of-concept,” the corporate warned in August, urging prospects to replace their deployments as quickly as doable.
On Wednesday, CISA added CVE-2025-54253 to its Recognized Exploited Vulnerabilities (KEV) catalog, warning of its in-the-wild exploitation, with out offering info on the noticed assaults.Commercial. Scroll to proceed studying.
As mandated by Binding Operational Directive (BOD) 22-01, federal businesses got three weeks to establish susceptible AEM Types installations of their environments and apply the out there patches.
Whereas BOD 22-01 solely applies to federal businesses, CISA recommends that each one organizations apply patches for the vulnerabilities described within the KEV record.
This week, Adobe launched patches for over 35 safety defects in its merchandise, together with a critical-severity concern within the Join collaboration suite.
Associated: Adobe Patches Important ColdFusion and Commerce Vulnerabilities
Associated: Microsoft Patches 173 Vulnerabilities, Together with Exploited Home windows Flaws
Associated: ICS Patch Tuesday: Fixes Introduced by Siemens, Schneider, Rockwell, ABB, Phoenix Contact
Associated: Fortra GoAnywhere MFT Zero-Day Exploited in Ransomware Assaults
