Adobe Experience Manager (MS) versions 6.5.23.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction. Scope is unchanged.
The vulnerability results from improper handling of deserialization of input data supplied by an attacker. An attacker can submit a specially crafted malicious serialized object to a vulnerable AEM endpoint. During the deserialization process, the application processes this object without proper validation, resulting in uncontrolled code execution on the server side. The attack is possible remotely over the network, without requiring privileges or user interaction.
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the server (RCE), which can lead to complete system takeover, data theft, integrity violation, and service unavailability.
Apply patches available from the vendor according to references — details in Adobe security bulletin APSB25-67 available at https://helpx.adobe.com/security/products/aem-forms/apsb25-67.html
Adobe Experience Manager (AEM) version 6.5.23.0 and all earlier versions in the 6.5 branch.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAdobe Experience Manager
APPAdobe≤ 6.5.23.0
Related vulnerabilities
Stored XSS w Adobe Experience Manager Forms JEE – krytyczna podatność
DOM-based XSS w Adobe Experience Manager — możliwe RCE i przejęcie sesji
DOM-based XSS w Adobe Experience Manager umożliwiający RCE
DOM-based XSS w Adobe Experience Manager umożliwiający RCE
AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Enti...