Redazione RHC : 6 August 2025 15:46
On August 5, 2025, Adobe released an urgent security update for Adobe Experience Manager (AEM) Forms on Java Enterprise Edition (JEE), addressing two serious vulnerabilities: CVE-2025-54253 and CVE-2025-54254.
The most serious, CVE-2025-54253, is a zero-day that was actively exploited in the wild before the patch, with a CVSS score of 10.0, the highest possible. An unauthenticated attacker can exploit this flaw to gain full control of the vulnerable server, executing remote commands, accessing sensitive data, and moving laterally across the network.
The vulnerability is caused by a misconfiguration in some AEM Forms installations, where Apache Struts development mode is enabled by default. This allows the execution of OGNL expressions, typical of RCE attacks. Additionally, an authentication bypass has been reported, allowing exploits to be executed even without credentials.
Adobe has confirmed that a proof-of-concept was publicly available for a short time before being removed. However, there are currently no known fully functional public exploits, although it is highly likely that private versions used by malicious actors exist.
The second vulnerability, CVE-2025-54254, is also critical (CVSS 8.6) and involves a XXE (XML External Entity) flaw that allows arbitrary file system reads. A public PoC has also been confirmed.
Adobe encourages users to immediately install the update that brings AEM Forms on JEE to version 6.5.0-0108, classified as a Priority 1 update. If you are unable to update immediately, it is strongly recommended to restrict external access to AEM Forms endpoints and disable Struts development mode in all environments.
Additionally, it is critical to monitor access and system logs for suspicious activity, such as requests containing OGNL syntax, which could indicate exploit attempts.
Redazione