Adobe has issued urgent patches for two critical zero-day vulnerabilities in Adobe Experience Manager (AEM) Forms on JEE after researchers released proof-of-concept (PoC) exploits demonstrating unauthenticated remote code execution. These flaws, identified as CVE-2025-54253 and CVE-2025-54254, stem from a misconfiguration enabling code execution and an XXE issue allowing unauthorized file access, respectively. While Adobe patched a related Java deserialization vulnerability (CVE-2025-49533) on August 5, the other two went unpatched for over three months. The researchers from Searchlight Cyber published technical details on July 29 after warning Adobe, prompting the emergency response.
CVE-2025-54254 exploits a SOAP authentication service to expose local files, and CVE-2025-54253 uses Struts2’s mistakenly enabled development mode to allow attackers to execute commands via crafted HTTP requests. All three vulnerabilities can be used by unauthenticated attackers to compromise servers. Administrators are urged to apply the latest patches or limit server exposure to the internet if updates aren't immediately possible.
Read more...