Oct 16, 2025Ravie LakshmananVulnerability / Information Safety
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Wednesday added a crucial safety flaw impacting Adobe Expertise Supervisor to its Identified Exploited Vulnerabilities (KEV) catalog, based mostly on proof of energetic exploitation.
The vulnerability in query is CVE-2025-54253 (CVSS rating: 10.0), a maximum-severity misconfiguration bug that would end in arbitrary code execution.
In accordance with Adobe, the shortcoming impacts Adobe Expertise Supervisor (AEM) Types on JEE variations 6.5.23.0 and earlier. It was addressed in model 6.5.0-0108 launched early August 2025, alongside CVE-2025-54254 (CVSS rating: 8.6).
The flaw outcomes from the dangerously uncovered /adminui/debug servlet, which evaluates user-supplied OGNL expressions as Java code with out requiring authentication or enter validation,” safety firm FireCompass famous. “The endpoint’s misuse allows attackers to execute arbitrary system instructions with a single crafted HTTP request.”
There’s at present no info publicly obtainable on how the safety flaw is being exploited in real-world assaults, though Adobe acknowledged in its advisory that “CVE-2025-54253 and CVE-2025-54254 have a publicly obtainable proof-of-concept.”
In mild of energetic exploitation, Federal Civilian Govt Department (FCEB) companies are suggested to use the required fixes by November 5, 2025.
The event comes a day after CISA additionally added a crucial improper authentication vulnerability in SKYSEA Consumer View (CVE-2016-7836, CVSS rating: 9.8) to the KEV catalog. Japan Vulnerability Notes (JVN), in an advisory launched in late 2016, mentioned “assaults exploiting this vulnerability have been noticed within the wild.”
“SKYSEA Consumer View incorporates an improper authentication vulnerability that permits distant code execution by way of a flaw in processing authentication on the TCP reference to the administration console program,” the company mentioned.
