CVE-2025-54253
Adobe Experience Manager | Incorrect Authorization (CWE-863)
In short
Adobe Experience Manager versions 6.5.23 and earlier have a security misconfiguration that allows attackers to run arbitrary code on the system without any user interaction. This is a critical flaw because it gives complete control of the affected server to an attacker.
Technical detail
A misconfiguration vulnerability in Adobe Experience Manager (AEM) 6.5.23 and earlier enables unauthorized code execution through security mechanism bypass. The vulnerability requires no user interaction and can be exploited remotely; successful exploitation grants arbitrary code execution with potential for complete system compromise and privilege escalation.
Summary generated and translated by AI from the official description.
Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
Adobe · Adobe Experience Managerpublic PoCs found — 3
githubgithub.com/AdityaBhatt3010/CVE-2025-54253-Inside-the-Adobe-AEM-Forms-Zero-Day★ 10githubgithub.com/zoomdbz/AEMPWN★ 3githubgithub.com/Shivshantp/CVE-2025-54253-Exploit-Demo★ 1⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://helpx.adobe.com/security/products/aem-forms/apsb25-82.htmlhttps://slcyber.io/assetnote-security-research-center/struts-devmode-in-2025-critical-pre-auth-vulnerabilities-in-adobe-experience-manager-forms/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54253