Adobe Releases Emergency Patches for AEM Forms

Red Dog Security

08 Aug 2025 — 2 min read

Adobe has released out-of-band security updates to address two critical vulnerabilities in Adobe Experience Manager (AEM) Forms (Java Enterprise Edition, JEE), both of which already have public proof-of-concept (PoC) exploits.

The flaws—tracked as CVE-2025-54253 (CVSS score: 10.0, maximum severity) and CVE-2025-54254 (CVSS score: 8.6)—could allow attackers to execute arbitrary code or read arbitrary files on vulnerable systems.

“Adobe is aware that proof-of-concept exploits for CVE-2025-54253 and CVE-2025-54254 are publicly available. However, there is no evidence of active exploitation in the wild at this time,” the company stated.

Adobe credited researchers from Assetnote—acquired by Searchlight Cyber in January 2025—for discovering the vulnerabilities.

Technical Details

CVE-2025-54253
Adobe describes this as a misconfiguration issue. Searchlight Cyber explains that it is caused by a combination of:

An authentication bypass
An improperly enabled Struts development mode in the admin interface

This allows attackers to craft payloads that execute Object-Graph Navigation Language (OGNL) expressions.

“Escalating this to remote code execution (RCE) is trivial—there are many publicly available sandbox bypass techniques. However, we faced a sophisticated WAF, and since the payload had to fit in the first line of a GET request, we had to get creative to achieve RCE,” Searchlight Cyber noted.

CVE-2025-54254
This is an XML External Entity (XXE) injection vulnerability caused by unsafe XML document loading within AEM Forms’ authentication mechanism. It can be exploited without authentication.

Disclosure Timeline

Searchlight Cyber reported both vulnerabilities to Adobe in April 2025, alongside a third flaw—CVE-2025-49533 (CVSS 9.8), an untrusted data deserialization bug patched in July.

After the standard 90-day disclosure period, the researchers published technical details and PoC exploits for all three vulnerabilities on July 29, 2025. They also urged administrators to restrict access to AEM Forms in standalone deployments.

Researchers’ Criticism

“The vulnerabilities we found in AEM Forms are not sophisticated—they are basic flaws that should have been caught years ago. This product (formerly known as LiveCycle) has been used in enterprise environments for nearly two decades. It raises the question: Why were such simple bugs overlooked by other researchers or Adobe itself?”

Key Takeaways

Patch immediately – Both vulnerabilities are exploitable and have public PoCs.
Restrict access – Limit exposure of admin interfaces and XML processing.
Review legacy systems – Older enterprise products (like AEM Forms/LiveCycle) may contain overlooked, high-impact security gaps.

Media: Anti-Spam Measures Lead to Blocking of Business Calls

New anti-spam regulations that took effect on September 1 are causing widespread disruption to business communications. According to media reports, telecom operators—acting under legal requirements to limit spam calls—have begun blocking all calls from commercial organizations, leaving banks, developers, and market research firms scrambling to move customer interactions

Pudu Robotics’ Robots Vulnerable to Exploitation

An independent cybersecurity researcher known as BobDaHacker has discovered security flaws in the products of Pudu Robotics, a leading global supplier of commercial service robots. The vulnerabilities made it possible for attackers to redirect robots to arbitrary locations and force them to execute unauthorized commands. The Company and Its Products

Google Patches 120 Vulnerabilities in Android, Including Two 0-days

Google developers have released security updates for Android that fix 120 vulnerabilities in the operating system. According to the company, two of these issues have already been used by hackers in targeted attacks. The 0-days patched this month have been assigned the identifiers CVE-2025-38352 (7.4 out of 10 on

Hackers Abuse the Velociraptor Forensics Tool

Sophos researchers have uncovered a cyberattack in which unknown threat actors abused the open-source endpoint monitoring and forensics tool Velociraptor. “In this incident, the attackers used the tool to download and run Visual Studio Code, likely with the intention of creating a tunnel to a command-and-control server under their control,