Critical Adobe Experience Manager flaw actively exploited

CISA is reporting active exploitation of a critical Adobe Experience Manager (AEM) Forms flaw.

The flaw is tracked as CVE-2025-54253 (CVSS score 10.0), and leaves the Apache Struts framework operating in "devMode" within the admin interface. This setting, when combined with an authentication bypass, creates a severe security weakness that allows unauthenticated attackers to execute expressions evaluated by Struts, enabling remote code execution (RCE) on affected systems.

The situation is complicated by the public release of proof-of-concept (PoC) exploits for both CVE-2025-54253 and the related CVE-2025-54254 before Adobe's patch release. These publicly available PoCs likely accelerated exploitation attempts.

Adobe addressed both vulnerabilities on August 5, 2025, in Security Bulletin APSB25-82. The company released patches and strongly urged all users of AEM Forms on JEE to upgrade to version 6.5.0-0108 or later immediately. 

Affected versions of Adobe Experience Manager Forms include AEM Forms on JEE versions 6.5.23.0 and all earlier versions. 

CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary security updates by November 5, 2025.

System administrators running Adobe Experience Manager Forms on JEE are strongly urged to immediately verify that their systems are not running affected versions and to apply the latest security updates without delay. Organizations should prioritize this patching activity given the active exploitation confirmed by CISA. If immediate patching is not feasible due to operational constraints, isolating AEM Forms instances from internet access can be a temporary mitigation measure.