CVE-2025-49533

CRITICAL EXPLOITED NUCLEI

Adobe Experience Manager < 6.5.23.0 - Insecure Deserialization

Title source: rule

Description

Adobe Experience Manager (MS) versions 6.5.23.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction. Scope is unchanged.

Nuclei Templates (1)

Adobe Experience Manager Forms - Insecure Deserialization

CRITICALVERIFIEDby ritikchaddha,DhiyaneshDK,s4e-io

References (1)

[Vendor Advisory] https://helpx.adobe.com/security/products/aem-forms/apsb25-67.html

Scores

CVSS v3 9.8

EPSS 0.4847

EPSS Percentile 97.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

VulnCheck KEV 2025-07-30

Classification

CWE

CWE-502

Status published

Affected Products (1)

adobe/experience_manager < 6.5.23.0

Timeline

Published Jul 08, 2025

Tracked Since Feb 18, 2026