The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a severe security flaw affecting Adobe Experience Manager (AEM). The flaw, now listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, has been confirmed to be under active exploitation. With a CVSS score of 10.0, this bug represents the highest level of severity, demanding immediate attention from organizations using AEM.
Critical Details of the Vulnerability
The vulnerability, identified as CVE-2025-54253, is a misconfiguration issue that allows arbitrary code execution. It affects Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier. Adobe has already addressed this issue in version 6.5.0-0108, released in early August 2025, along with another related flaw CVE-2025-54254 (CVSS score: 8.6).
According to security firm FireCompass, the flaw arises from a dangerously exposed endpoint:/adminui/debug servlet.
This endpoint executes user-supplied OGNL expressions as Java code without any authentication or input validation. This loophole allows attackers to run arbitrary system commands by sending a single malicious HTTP request.
Exploitation and Proof-of-Concept
Although detailed exploitation techniques are not yet public, Adobe has confirmed the existence of a public proof-of-concept (PoC) for both CVE-2025-54253 and CVE-2025-54254. This makes the situation more critical since threat actors could easily weaponize these vulnerabilities for real-world attacks.
As a precaution, Federal Civilian Executive Branch (FCEB) agencies have been instructed to apply security patches no later than November 5, 2025.
Related Vulnerability Added to KEV
This alert comes just one day after CISA added another critical flaw to its KEV list—an improper authentication vulnerability in SKYSEA Client View (CVE-2016-7836), carrying a CVSS score of 9.8.
According to Japan Vulnerability Notes (JVN), exploitation of this flaw has already been observed in the wild. The issue stems from improper handling of authentication during TCP communication between the management console and the client, potentially allowing remote code execution.
