This Adobe AEM flaw is as dangerous as they come, and it's already being exploited

News
By published

Patches have been released for two flaws

Avast cybersecurity
(Image credit: Avast)
  • Adobe patched two critical AEM flaws enabling code execution and file access without user interaction
  • CISA added CVE-2025-54253 and CVE-2025-54254 to KEV, confirming active exploitation
  • Agencies must patch by November 5; private sector urged to follow due to widespread risk

Adobe recently patched two flaws in its Experience Manager product, including a maximum-severity one that allows malicious actors to execute arbitrary code.

While the company said it is “not aware” of in-the-wild exploits, it did say that it saw proof-of-concept (PoC) exploits out there. Also, US Cybersecurity and Infrastructure Security Agency (CISA) added it to KEV (the known exploited vulnerability catalog), meaning it is being used in attacks.

Adobe Experience Manager (AEM) is Adobe’s enterprise-level content management system (CMS) used for building and managing websites, mobile apps, and digital experiences. It helps large organizations create, organize, and deliver personalized content across different channels.

Added to CISA's KEV

The two flaws in question are tracked as CVE-2025-54253 and CVE-2025-54254. The former is described as a “misconfiguration vulnerability” that can be abused to bypass security mechanisms and has a severity score of 10/10 (critical).

The latter is an “improper restriction of XML External Entity Reference (‘XXE)’ vulnerability that results in arbitrary file system read and allows attackers to access sensitive files - without any user interaction. It was given a severity score of 8.6/10 (high).

Both bugs were found in Adobe Experience Manager versions 6.5.23 and earlier. The patch, released in August this year, brings the tool to version 6.5.0-0108.

On October 15, CISA added both flaws to its KEV catalog, confirming reports of abuse in the wild. When a bug is added to KEV, Federal Civilian Executive Branch (FCEB) agencies have a three-week deadline to apply available fixes and mitigations or stop using the vulnerable tools altogether.

In Adobe’s case, agencies have until November 5, 2025, to apply the patches.

While CISA’s deadline only applies to FCEB agencies, other agencies and businesses in the private sector are advised to follow suit, since cybercriminals rarely differentiate between the two and will target whoever is vulnerable.

Via The Hacker News

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.