CVE-2025-54254
Adobe Experience Manager | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)
In short
Adobe Experience Manager has a flaw that allows attackers to read sensitive files from the server's file system by sending specially crafted XML requests. No user interaction is needed for the attack to work.
Technical detail
An XXE (XML External Entity) vulnerability in Adobe Experience Manager 6.5.23 and earlier allows unauthenticated attackers to read arbitrary files from the server's filesystem through malicious XML input. The vulnerability requires no user interaction and results in unauthorized information disclosure with elevated scope impact.
Summary generated and translated by AI from the official description.
Adobe Experience Manager versions 6.5.23 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the local file system, scope is changed. Exploitation of this issue does not require user interaction.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Affected products
Adobe · Adobe Experience ManagerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →