In response to the public release of proof-of-concept (PoC) exploit code, Adobe has released emergency security patches addressing two critical zero-day vulnerabilities affecting Adobe Experience Manager (AEM) Forms on Java Enterprise Edition (JEE). These vulnerabilities could allow unauthenticated attackers to remotely execute code or access sensitive files on unpatched systems, representing a severe threat to organizations using affected versions.
Vulnerabilities Explained
The security issues addressed are:
- CVE-2025-54253: A misconfiguration flaw enabling arbitrary code execution on vulnerable servers. This vulnerability is rated “Critical” with a CVSS score of 8.6.
- CVE-2025-54254: An issue resulting from improper restrictions on XML External Entity (XXE) references, which allows attackers to read arbitrary files from the targeted system. This flaw is rated as “Critical” with the highest possible CVSS score of 10.0.
Adobe acknowledged that exploit code for these vulnerabilities had been publicly released, escalating the urgency to deploy fixes due to the increased risk of real-world attacks.
Discovery and Patch Timeline
The vulnerabilities were uncovered by security researchers Shubham Shah and Adam Kues of Searchlight Cyber, who reported them to Adobe on April 28, 2025. Adobe had previously addressed a related issue, CVE-2025-49533, involving deserialization of untrusted data, before issuing these latest emergency updates.
Affected Products and Versions
Organizations running Adobe Experience Manager (AEM) Forms on JEE, version 6.5.23.0 and earlier across all supported platforms, are at risk. Adobe has released fixed versions (starting from 6.5.0-0108 and later) that not only resolve these vulnerabilities but also include previous security corrections.
Recommendations for Administrators
Adobe has categorized these patches as “priority 1,” signaling the highest level of urgency. Administrators are strongly advised to:
- Immediately assess the version of AEM Forms on JEE deployed within their environment.
- Apply the latest updates or hotfixes as described in Adobe’s advisory documentation.
- Follow all recommended validation steps to ensure successful deployment of the patches.
- For installations running versions no longer supported, contact Adobe Customer Care for additional guidance and support options.
