05.08.2025
2 min
475
Adobe has released emergency security updates for Adobe Experience Manager Forms on JEE to close two critical 0-day vulnerabilities — CVE-2025-54253 and CVE-2025-54254 — that allow remote code execution without authentication. After the researchers published a PoC chain of attacks, the company hastily eliminated the threat.
The vulnerabilities, discovered by Searchlight Cyber experts on April 28, 2025, were partially ignored by Adobe until August. Only after the publication of the technical description of the attacks on July 29, the company released the necessary patches. The most dangerous of them is CVE-2025-54254 (CVSS 10.0), an XXE vulnerability that allows reading any file on the server without authentication.
The second issue, CVE-2025-54253, allows arbitrary code execution through a misconfiguration of developer mode in the /adminui module. Both vulnerabilities allow attackers to take full control of the AEM Forms server. The third vulnerability, CVE-2025-49533, involves unsafe Java object deserialization in the FormServer module.
Adobe recommends that you immediately update your installations or restrict external access to the service. Administrators are also advised to verify that Struts2 Dev Mode is enabled and that SOAP authentication is configured correctly.
Adobe Experience Manager (AEM) Forms is a popular tool for creating web forms and managing user interactions, especially in enterprise environments. Due to the use of Java technologies and complex SOAP services, the platform has an expanded attack surface. The enabled developer mode and insufficient control over external XML entities became entry points for dangerous exploits.
These vulnerabilities show how dangerous the combination of old frameworks (Struts2), careless configuration, and slow response to responsible reports from researchers can be.
This incident highlights the critical importance of responding promptly to vulnerability reports, especially when they concern enterprise platforms with large amounts of customer data. Publishing PoC code without timely patching could lead to mass attacks, and only timely updates will protect against compromise.
