The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw affecting Adobe Experience Manager to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.
The vulnerability in question is CVE-2025-54253 (CVSS score: 10.0), a maximum severity misconfiguration bug that may lead to arbitrary code execution.
According to Adobe, this flaw affects Adobe Experience Manager (AEM) Forms with JEE versions 6.5.23.0 and earlier. This issue was addressed in version 6.5.0-0108, released in early August 2025, along with CVE-2025-54254 (CVSS score: 8.6).
“The flaw results from the compromised exposure of the /adminui/debug servlet that evaluates user-supplied OGNL expressions as Java code, without requiring authentication or input validation,” security firm FireCompass notes. “Exploitation of this endpoint could allow an attacker to execute arbitrary system commands with a single crafted HTTP request.”
There is currently no publicly available information on how this security flaw is being exploited in real-world attacks, but Adobe acknowledges in the advisory that “CVE-2025-54253 and CVE-2025-54254 have publicly available proofs of concept.”
In view of active abuse, Federal Civilian Executive Branch (FCEB) agencies are encouraged to apply the necessary fixes by November 5, 2025.
This development comes a day after CISA added the SKYSEA Client View Critical Improper Authentication Vulnerability (CVE-2016-7836, CVSS Score: 9.8) to the KEV Catalog. Japan Vulnerability Notes (JVN) stated in an advisory released in late 2016 that “attacks exploiting this vulnerability have been observed in the wild.”
“SKYSEA Client View contains an improper authentication vulnerability that could allow remote code execution due to a flaw in the authentication process in TCP connections with the management console program,” the agency said.
Source link
