CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

Organizations Warned of Exploited Adobe AEM Forms Vulnerability

A public PoC existed when Adobe patched the Experience Manager Forms (AEM Forms) bug in early August. The post Organizations Warned of Exploited Adobe AEM Forms Vulnerability appeared first on SecurityWeek.

Adobe vulnerabilities

The US cybersecurity agency CISA on Wednesday warned that a recent Adobe Experience Manager Forms (AEM Forms) vulnerability has been exploited in attacks.

Tracked as CVE-2025-54253 (CVSS score of 10.0), the flaw was patched in early August with an out-of-band update, as a proof-of-concept (PoC) exploit had already been public.

AEM Forms is a solution designed for creating, managing, and publishing digital forms and documents. Described as a misconfiguration issue, the security defect can be exploited for arbitrary code execution.

Shubham Shah and Adam Kues of Searchlight Cyber, who discovered the security hole, said it was a combination of authentication bypass and the Struts development mode for the admin UI being left enabled.

An attacker could craft a payload to execute Object-Graph Navigation Language (OGNL) expressions and could use public sandbox bypasses to achieve remote code execution, the researchers said.

Adobe addressed the vulnerability in AEM Forms on Java Enterprise Edition (JEE) version 6.5.0-0108, which also addressed CVE-2025-54254 (CVSS score of 8.6), an improper restriction of XML External Entity reference issue leading to arbitrary file system read.

“Adobe is aware that CVE-2025-54253 and CVE-2025-54254 have a publicly available proof-of-concept,” the company warned in August, urging customers to update their deployments as soon as possible.

On Wednesday, CISA added CVE-2025-54253 to its Known Exploited Vulnerabilities (KEV) catalog, warning of its in-the-wild exploitation, without providing information on the observed attacks.

As mandated by Binding Operational Directive (BOD) 22-01, federal agencies were given three weeks to identify vulnerable AEM Forms installations in their environments and apply the available patches.

While BOD 22-01 only applies to federal agencies, CISA recommends that all organizations apply patches for the vulnerabilities described in the KEV list.

This week, Adobe released patches for over 35 security defects in its products, including a critical-severity issue in the Connect collaboration suite.

Related: Adobe Patches Critical ColdFusion and Commerce Vulnerabilities

Related: Microsoft Patches 173 Vulnerabilities, Including Exploited Windows Flaws

Related: ICS Patch Tuesday: Fixes Announced by Siemens, Schneider, Rockwell, ABB, Phoenix Contact

Related: Fortra GoAnywhere MFT Zero-Day Exploited in Ransomware Attacks

Latest News

CYBERNEWSMEDIAPublisher