CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-54253

CVSS 10.0v3.1pub. 2025-08-05upd. 2025-10-23

Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.

🤖 AI Analysis
How it works

An attacker can remotely, without needing an account or user interaction, exploit the system's misconfiguration to bypass security mechanisms. Successful exploitation results in a scope change, meaning the impact of the attack may extend beyond the directly vulnerable component. This allows for arbitrary code execution on the server side with potentially broad privileges.

Impact

An attacker can gain full control over the vulnerable server through remote code execution (RCE), which threatens the confidentiality, integrity, and availability of the system and data stored within it.

Mitigation & patch

Apply patches available from the vendor immediately according to Adobe security bulletin APSB25-82 (https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html). Due to active exploitation in the production environment, the update should be performed as a priority.

Who is affected

Adobe Experience Manager Forms in versions 6.5.23 and earlier.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Adobe Experience Manager Forms

    APP
    Adobe
    ≤ 6.5.23.0

CISA KEV — detailsi

Vendori
Adobe
Producti
Experience Manager (AEM) Forms
Added to KEVi
October 15, 2025
Remediation deadline (US Federal)i
November 5, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Adobe Experience Manager Forms in JEE contains an unspecified vulnerability that allows for arbitrary code execution.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 5 listopada 2025
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2020-9732CRITICAL9.0ten sam produkt

The AEM Forms add-on for versions 6.5.5.0 (and below) and 6.4.8.2 (and below) are affected by a stored XSS vul...

CVE-2025-54254HIGH8.6ten sam produkt

Adobe Experience Manager versions 6.5.23 and earlier are affected by an Improper Restriction of XML External E...

CVE-2020-9733HIGH7.5ten sam produkt

An AEM java servlet in AEM versions 6.5.5.0 (and below) and 6.4.8.1 (and below) executes with the permissions ...

CVE-2017-3067HIGH7.5ten sam produkt

Adobe Experience Manager Forms versions 6.2, 6.1, 6.0 have an information disclosure vulnerability resulting f...

CVE-2019-8089MEDIUM6.1ten sam produkt

Adobe Experience Manager Forms versions 6.3-6.5 have a reflected cross-site scripting vulnerability. Successfu...