CISA added CVE-2025-54253, a critical misconfiguration vulnerability in Adobe Experience Manager (AEM) Forms on Java Enterprise Edition (JEE), to its Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. The flaw stems from an improperly enabled Apache Struts 'devMode' in the admin UI, combined with an authentication bypass, allowing unauthenticated attackers to execute arbitrary code remotely via evaluated Struts expressions. Exploitation requires no user interaction and is classified as low-complexity, posing a severe risk to standalone AEM Forms deployments on J2EE-compatible servers like JBoss.Though Adobe patched the vulnerability in August 2025 (alongside CVE-2025-54254, an XXE flaw), a public proof-of-concept (PoC) exploit was released earlier after researchers (Shubham Shah and Adam Kues) disclosed the flaws due to Adobe’s delayed response. The absence of mitigations before the patch led to active exploitation, prompting CISA to mandate Federal Civilian Executive Branch (FCEB) agencies to apply fixes by November 5, 2025. Organizations failing to upgrade to version 6.5.0-0108 or later remain exposed to full system compromise, data breaches, or lateral movement within corporate networks. The vulnerability’s exploitation could enable attackers to deploy malware, steal sensitive data, or disrupt business operations, particularly in enterprises relying on AEM Forms for critical workflows.

Adobe is facing active exploitation of a critical vulnerability (CVE-2025-54253) in its Adobe Experience Manager (AEM) Forms on JEE (versions 6.5.23 and earlier), allowing unauthenticated attackers to bypass security and execute arbitrary code remotely without user interaction. The flaw, stemming from a misconfiguration in Struts DevMode, was disclosed by researchers on April 28th but left unpatched for over 90 days, during which proof-of-concept exploits became publicly available. While Adobe released fixes on August 9th, the delay exposed organizations to potential large-scale breaches, with CISA mandating federal agencies to patch by November 5th under Binding Operational Directive (BOD) 22-01. The vulnerability poses severe risks, including unauthorized system takeover, data exfiltration, or lateral movement within corporate networks. Since AEM is widely used for enterprise content management, exploitation could lead to compromised customer data, financial records, or proprietary business logic, especially if deployed in government, healthcare, or financial sectors. CISA’s warning underscores the urgent threat, as attackers could leverage this flaw for ransomware deployment, espionage, or disruptive cyberattacks. Organizations failing to patch risk regulatory penalties, reputational damage, and operational downtime, particularly if the flaw is chained with other unpatched vulnerabilities (e.g., CVE-2025-54254).