CISA has added a critical Adobe Experience Manager vulnerability to its KEV list due to active exploitation, with potential for arbitrary code execution. Although there are no confirmed real-world attacks yet, proof-of-concept code is available, prompting urgent patching for federal agencies. #CISA #AdobeExperienceManager #CVE202554253 #CVE201675426
Keypoints
- The vulnerability CVE-2025-54253 affects Adobe Experience Manager Forms on JEE versions 6.5.23.0 and earlier.
- It involves a misconfigured /adminui/debug servlet that evaluates user input as Java code without authentication.
- Active exploitation has been observed, and proof-of-concept code is publicly available.
- Adobe released a fix in version 6.5.0-0108 in August 2025 to address the flaw.
- FCEB agencies are instructed to apply patches by November 5, 2025 to mitigate risks.
Read More: https://thehackernews.com/2025/10/cisa-flags-adobe-aem-flaw-with-perfect.html