Adobe releases emergency updates for Adobe Experience Manager Forms flaws after public PoC
Take action: If you're running Adobe Experience Manager (AEM) Forms on JEE (versions 6.5.0 to 6.5.23.0), be aware that the products are critically vulnerable and that there's a public PoC. Immediately apply the available patches, because these forms are exposed to the internet and will be attacked very soon. Alternatively, restrict network access to AEM Forms from external networks until you can patch. But even isolating is a temporary fix - someone will attack them if left unpatched.
Learn More
Adobe has addressed multiple security vulnerabilities in Adobe Experience Manager (AEM) Forms on Java Enterprise Edition (JEE) after security researchers published proof-of-concept exploits.
The vulnerabilities were discovered by security researchers Shubham Shah and Adam Kues from Searchlight Cyber, who initially disclosed the flaws to Adobe in April 2025.
Adobe initially released fixes only for one vulnerability in July 2025, leaving the remaining two unpatched. The researchers ultimately published technical details and proof-of-concept exploits on July 29, 2025, following responsible disclosure practices after the 90-day deadline passed.
Vulnerabilities summary:
- CVE-2025-54253 (CVSS score 10.0) - Misconfiguration vulnerability allowing arbitrary code execution/ This flaw stems from an authentication bypass in the /adminui module combined with Struts2's development mode being mistakenly left enabled in production environments. Attackers can exploit this by executing OGNL expressions through debug parameters sent in HTTP requests, achieving unauthenticated remote code execution.
- CVE-2025-49533 (CVSS score 9.8) - Java deserialization vulnerability in the FormServer module. This untrusted data deserialization flaw allows unauthenticated remote code execution when a servlet processes user-supplied data by decoding and deserializing it without proper validation.
- CVE-2025-54254 (CVSS score 8.6) - XML External Entity (XXE) processing vulnerability. This improper restriction of XML External Entity references affects the Document Security module's web service handling SOAP authentication. Attackers can submit specially crafted XML payloads to trick the service into exposing local files such as configuration files and credentials without authentication.
Affected versions
- AEM Forms on JEE are all versions from 6.5.0 up to and including 6.5.23.0.
- Standalone deployments of AEM Forms on J2EE-compatible servers such as JBoss, IBM WebSphere, and Oracle WebLogic.
- AEM Forms on OSGi, AEM Forms Workbench, and AEM Forms as a Cloud Service are not affected by these vulnerabilities.
Patched versions
- Users running AEM Forms on JEE version 6.5.23.0 can install the latest hotfix directly.
- Organizations using versions 6.5.18.0 through 6.5.22.0 must manually install fixes by updating specific EAR files and configuring additional system properties for Document Security deployments.
- Users on versions 6.5.17.0 and earlier must first upgrade to a supported service pack version before applying the appropriate fixes.
Given the critical nature of these flaws and the availability of public exploits, security experts strongly recommend immediate patching. Organizations that cannot immediately upgrade should restrict access to AEM Forms from external networks to limit exposure.
