Adobe has released emergency patches that address two critical vulnerabilities in Adobe Experience Manager Forms (AEM Forms) in Java Enterprise Edition (JEE), for which public exploits are already available.
The vulnerabilities have been assigned identifiers CVE-2025-54253 (a maximum score of 10 on the CVSS scale) and CVE-2025-54254 (8.6 on the CVSS scale). These bugs could have been exploited to execute arbitrary code or read arbitrary files on the system.
“Adobe is aware that proof-of-concept exploits for CVE-2025-54253 and CVE-2025-54254 are publicly available. Adobe has no information regarding the exploitation of these issues in real-world attacks,” the company stated.
The developers expressed their gratitude to the specialists from Assetnote (acquired by Searchlight Cyber in January 2025) for discovering the vulnerabilities.
Adobe describes CVE-2025-54253 as a misconfiguration issue, but researchers from Searchlight Cyber explain that the vulnerability combines authentication bypass with an erroneously enabled Struts development mode in the admin interface. This combination allows for the creation of a payload leading to the execution of Object-Graph Navigation Language (OGNL) expressions.
“Escalating the vulnerability to remote code execution is not difficult—there are numerous solutions available online for bypassing the sandbox. In our case, we had to deal with a rather complex WAF, and since the payload was located in the first line of the GET request, we had to be inventive to achieve RCE,” say the experts at Searchlight Cyber.
The second vulnerability, CVE-2025-54254, is described as an XXE (XML External Entity Reference) issue. It arises because the authentication mechanism in AEM Forms loads XML documents in an insecure manner, allowing the flaw to be exploited without authentication.
Searchlight Cyber analysts notified Adobe of vulnerabilities in April 2025, simultaneously with CVE-2025-49533 (9.8 CVSS score) — a critical deserialization vulnerability of untrusted data, which was addressed in July.
On July 29, after the required 90-day waiting period, Searchlight Cyber specialists published technical details and PoC exploits for all three vulnerabilities, urging administrators to restrict access to AEM Forms in standalone deployments.
“The vulnerabilities we discovered in AEM Forms cannot be described as complex,” researchers state. “These are typical issues that should have been identified many years ago. This product, previously known as LiveCycle, has been used in corporate environments for almost two decades. This raises the question of why such simple bugs have not yet been discovered by other researchers or fixed by Adobe.”
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →