Ethical Hacking News
Adobe has issued emergency fixes for AEM Forms zero-days after a Proof of Concept (PoC) exploit chain was released, exposing arbitrary code execution and improper Restriction of XML External Entity Reference (XXE) vulnerabilities. The latest updates are available now to mitigate the risks associated with these severe vulnerabilities.
AEM Forms on Java Enterprise Edition (JEE) is vulnerable to exploitation due to a Proof of Concept (PoC) exploit chain released by Searchlight Cyber, exposing arbitrary code execution and improper Restriction of XML External Entity Reference (XXE) vulnerabilities. The first vulnerability (CVE-2025-54253) allows arbitrary code execution with a CVSS score of 8.6. The second vulnerability (CVE-2025-54254) involves improper Restriction of XML External Entity Reference (XXE) and allows arbitrary file system read with a CVSS score of 10.0. Adobe initially only addressed one of the identified issues, but later issued emergency updates for all affected components on August 5th. The vulnerabilities were initially discovered by Shubham Shah and Adam Kues of Searchlight Cyber on April 28, 2025. Admins are strongly advised to install the latest updates and hotfixes as soon as possible due to the severity of these vulnerabilities and their potential for unauthenticated remote code execution.
Adobe Experience Manager (AEM) Forms on Java Enterprise Edition (JEE) has been left vulnerable to exploitation after a Proof of Concept (PoC) exploit chain was released, exposing arbitrary code execution and improper Restriction of XML External Entity Reference (XXE) vulnerabilities. In response to this critical alert, Adobe has issued emergency updates for the affected components.
The first vulnerability, tracked as CVE-2025-54253, is described as a misconfiguration allowing arbitrary code execution. This rating is assigned a critical score with a CVSS score of 8.6, indicating that an attacker could gain significant control over the system if exploited. The second vulnerability, marked as CVE-2025-54254, involves improper Restriction of XML External Entity Reference (XXE) and allows arbitrary file system read. This rating is categorized under maximum-severity with a CVSS score of 10.0, signifying that an attacker could gain access to sensitive data if exploited.
These vulnerabilities were initially discovered by Shubham Shah and Adam Kues of Searchlight Cyber on April 28, 2025. Following this discovery, Adobe was alerted about the vulnerability timeline. However, in its initial response, Adobe only addressed one of the identified issues. It wasn't until August 5, when the news broke that Adobe issued emergency updates for all the affected components, including fixing both CVE-2025-54253 and CVE-2025-54254.
The first flaw, CVE-2025-49533, affects a Java deserialization vulnerability in the FormServer module. This allows unauthenticated remote code execution (RCE). The process involves a servlet processing user-supplied data by decoding and deserializing it without validation. By exploiting this mechanism, attackers can send malicious payloads to execute commands on the server.
The second identified flaw, CVE-2025-54254, impacts a web service that handles SOAP authentication. By submitting specially crafted XML payloads, attackers can trick the service into exposing local files, such as win.ini, without authentication.
The third and final vulnerability, CVE-2025-54253, arises from an authentication bypass in /adminui module combined with a misconfigured developer setting. The development mode of Struts2 was left enabled by mistake, allowing attackers to execute OGNL expressions through debug parameters sent in HTTP requests.
Due to the severity of these vulnerabilities and their potential for unauthenticated remote code execution on vulnerable servers, Adobe strongly recommends all admins install the latest updates and hotfixes as soon as possible. As a precautionary measure, admins are also advised to restrict access to the platform from the internet until further security measures can be put in place.
It's worth noting that Searchlight Cyber disclosed these vulnerabilities along with a third issue, CVE-2025-49533, on April 28, 2025. Researchers Shubham Shah and Adam Kues published a technical write-up detailing how the vulnerabilities work and how they can be exploited on July 29. By releasing their findings first, Searchlight Cyber played an essential role in informing Adobe about these critical vulnerabilities ahead of time.
The discovery of these zero-day vulnerabilities serves as a stark reminder of the ongoing importance of staying vigilant against emerging threats. The proactive disclosure by researchers like Searchlight Cyber is crucial for keeping vendors and users informed of these risks and ensuring timely patches are implemented to mitigate damage.
For those who have been affected by this vulnerability, taking swift action could be the difference between securing their systems from potential exploitation and suffering financial loss due to data theft or disruption. Keeping software up-to-date with the latest security patches is a fundamental measure against such attacks, and Adobe's swift response to these vulnerabilities serves as a model for other vendors.
The incident highlights the need for ongoing vigilance in cybersecurity to protect against zero-day vulnerabilities that can have far-reaching impacts if exploited. The prompt disclosure of these vulnerabilities by researchers has undoubtedly made all the difference in ensuring that users are informed about potential risks and can take necessary precautions before falling prey to such threats.
In conclusion, Adobe's timely response to a critical vulnerability release underscores the importance of continuous vigilance and proactive measures against emerging cyber threats. By being aware of these issues and taking prompt action, individuals and organizations can significantly minimize their exposure to data breaches and other malicious activities.
Adobe has issued emergency fixes for AEM Forms zero-days after a Proof of Concept (PoC) exploit chain was released, exposing arbitrary code execution and improper Restriction of XML External Entity Reference (XXE) vulnerabilities. The latest updates are available now to mitigate the risks associated with these severe vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/Adobe-Issues-Emergency-Fixes-for-AEM-Forms-Zero-Days-After-PoCs-Released-ehn.shtml
https://www.bleepingcomputer.com/news/security/adobe-issues-emergency-fixes-for-aem-forms-zero-days-after-pocs-released/
https://nvd.nist.gov/vuln/detail/CVE-2025-54253
https://www.cvedetails.com/cve/CVE-2025-54253/
https://nvd.nist.gov/vuln/detail/CVE-2025-49533
https://www.cvedetails.com/cve/CVE-2025-49533/
https://nvd.nist.gov/vuln/detail/CVE-2025-54254
https://www.cvedetails.com/cve/CVE-2025-54254/
Published: Tue Aug 5 18:00:16 2025 by llama3.2 3B Q4_K_M
