Adobe on Tuesday released out-of-band security updates that address two serious vulnerabilities in Adobe Experience Manager Forms (AEM Forms) on Java Enterprise Edition (JEE) for which public exploit code exists.
The two flaws are tracked as CVE-2025-54253 (CVSS score of 10.0) and CVE-2025-54254 (CVSS score of 8.6) and can be exploited to execute arbitrary code or read arbitrary files on the system.
“Adobe is aware that CVE-2025-54253 and CVE-2025-54254 have a publicly available proof-of-concept. Adobe is not aware of these issues being exploited in the wild,” the company notes in its advisory.
Crediting Shubham Shah and Adam Kues of Assetnote (which was acquired by Searchlight Cyber in January 2025) for reporting the vulnerabilities, Adobe urges customers to apply the newly released hotfixes that resolve both flaws.
While Adobe simply describes CVE-2025-54253 as a misconfiguration issue, Searchlight Cyber explains that it combines an authentication bypass with the Struts development mode for the admin UI being left enabled.
This combination allowed the security researchers to craft a payload leading to the execution of Object-Graph Navigation Language (OGNL) expressions.
“It is trivial to escalate this to remote command execution through the many public sandbox bypasses available. In our case, we were dealing with a rather complex WAF, and since the payload was within the GET request’s first line component, we had to be somewhat creative to achieve RCE,” Searchlight Cyber says.
CVE-2025-54254, described as an improper restriction of XML External Entity Reference (XXE) defect, exists because an authentication mechanism in AEM Forms loaded an XML document insecurely, thus being exploitable without authentication.
Searchlight Cyber reported the two issues to Adobe in April, along with CVE-2025-49533 (CVSS score of 9.8) a critical-severity deserialization of untrusted data vulnerability that was resolved as part of Adobe’s July 2025 security updates.
On July 29, in line with its 90-day disclosure policy, Searchlight Cyber released technical information and proof-of-concept (PoC) code targeting all three security defects, urging users to restrict access to AEM Forms in standalone deployments.
“All the vulnerabilities we’ve disclosed in AEM Forms are not complex,” Searchlight says. “Instead, these issues are what we would expect to have been discovered years ago. Previously known as LiveCycle, this product line has been in use by enterprises for almost two decades. That raises the question of why these simple vulnerabilities had not been caught by others or fixed by Adobe.”
Related: Adobe Patches Critical Code Execution Bugs
Related: Rowhammer Attack Demonstrated Against Nvidia GPU
