CRITICAL🇵🇱 Wersja polska

CVE-2025-49533

CVSS 9.8v3.1pub. 2025-07-08upd. 2025-07-18

Adobe Experience Manager (MS) versions 6.5.23.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction. Scope is unchanged.

🤖 AI Analysis
How it works

The vulnerability results from improper handling of deserialization of input data supplied by an attacker. An attacker can submit a specially crafted malicious serialized object to a vulnerable AEM endpoint. During the deserialization process, the application processes this object without proper validation, resulting in uncontrolled code execution on the server side. The attack is possible remotely over the network, without requiring privileges or user interaction.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the server (RCE), which can lead to complete system takeover, data theft, integrity violation, and service unavailability.

Mitigation & patch

Apply patches available from the vendor according to references — details in Adobe security bulletin APSB25-67 available at https://helpx.adobe.com/security/products/aem-forms/apsb25-67.html

Who is affected

Adobe Experience Manager (AEM) version 6.5.23.0 and all earlier versions in the 6.5 branch.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Adobe Experience Manager

    APP
    Adobe
    ≤ 6.5.23.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2026-34691CRITICAL9.3PL ✓ten sam produkt

Stored XSS w Adobe Experience Manager Forms JEE – krytyczna podatność

CVE-2025-64538CRITICAL9.3PL ✓ten sam produkt

DOM-based XSS w Adobe Experience Manager — możliwe RCE i przejęcie sesji

CVE-2025-64537CRITICAL9.3PL ✓ten sam produkt

DOM-based XSS w Adobe Experience Manager umożliwiający RCE

CVE-2025-64539CRITICAL9.3PL ✓ten sam produkt

DOM-based XSS w Adobe Experience Manager umożliwiający RCE

CVE-2021-40722CRITICAL9.8ten sam produkt

AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Enti...