Adobe has released emergency patches that address two critical vulnerabilities in Adobe Experience Manager Forms (AEM Forms) in Java Enterprise Edition (JEE), for which public exploits are already available.
The vulnerabilities have been assigned identifiers CVE-2025-54253 (a maximum score of 10 on the CVSS scale) and CVE-2025-54254 (8.6 on the CVSS scale). These bugs could have been exploited to execute arbitrary code or read arbitrary files on the system.
“Adobe is aware that proof-of-concept exploits for CVE-2025-54253 and CVE-2025-54254 are publicly available. Adobe has no information regarding the exploitation of these issues in real-world attacks,” the company stated.
The developers expressed their gratitude to the specialists from Assetnote (acquired by Searchlight Cyber in January 2025) for discovering the vulnerabilities.
Adobe describes CVE-2025-54253 as a misconfiguration issue, but researchers from Searchlight Cyber explain that the vulnerability combines authentication bypass with an erroneously enabled Struts development mode in the admin interface. This combination allows for the creation of a payload leading to the execution of Object-Graph Navigation Language (OGNL) expressions.
“Escalating the vulnerability to remote code execution is not difficult—there are numerous solutions available online for bypassing the sandbox. In our case, we had to deal with a rather complex WAF, and since the payload was located in the first line of the GET request, we had to be inventive to achieve RCE,” say the experts at Searchlight Cyber.
The second vulnerability, CVE-2025-54254, is described as an XXE (XML External Entity Reference) issue. It arises because the authentication mechanism in AEM Forms loads XML documents in an insecure manner, allowing the flaw to be exploited without authentication.
Searchlight Cyber analysts notified Adobe of vulnerabilities in April 2025, simultaneously with CVE-2025-49533 (9.8 CVSS score) — a critical deserialization vulnerability of untrusted data, which was addressed in July.
On July 29, after the required 90-day waiting period, Searchlight Cyber specialists published technical details and PoC exploits for all three vulnerabilities, urging administrators to restrict access to AEM Forms in standalone deployments.
“The vulnerabilities we discovered in AEM Forms cannot be described as complex,” researchers state. “These are typical issues that should have been identified many years ago. This product, previously known as LiveCycle, has been used in corporate environments for almost two decades. This raises the question of why such simple bugs have not yet been discovered by other researchers or fixed by Adobe.”