CVE-2025-54253

CRITICAL KEV

Adobe Experience Manager Forms < 6.5.23.0 - Unauthenticated Arbitrary Code Execution via Misconfiguration

Title source: llm

Exploitation Summary

CVE-2025-54253 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 15, 2025. EIP tracks 5 public exploits from researchers including AdityaBhatt3010, adminlove520, zoomdbz.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2025-54253, an unauthenticated RCE vulnerability in Adobe AEM Forms on JEE, along with mitigation and detection guidance. It includes no exploit code but offers deep insights into the vulnerability mechanics, attacker playbook, and defensive strategies.

Description

Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.

Exploits (5)

github WRITEUP 7 stars

by AdityaBhatt3010 · poc

https://github.com/AdityaBhatt3010/CVE-2025-54253-Inside-the-Adobe-AEM-Forms-Zero-Day

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2025-54253, an unauthenticated RCE vulnerability in Adobe AEM Forms on JEE, along with mitigation and detection guidance. It includes no exploit code but offers deep insights into the vulnerability mechanics, attacker playbook, and defensive strategies.

Classification

Writeup 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Adobe Experience Manager (AEM) Forms on JEE (≤ 6.5.23.0)

No auth needed

Prerequisites: Internet-facing or network-accessible AEM Forms instance · Vulnerable version of AEM Forms on JEE

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github WORKING POC 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-54253

View Code ZIP pw:eip

This repository contains functional exploit code for multiple CVEs, including authentication bypass vulnerabilities in TOTOLINK devices and a scanner for Fortinet SSL VPN (CVE-2024-21762). The PoCs demonstrate the vulnerabilities with clear technical details and executable scripts.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: TOTOLINK LR350, TOTOLINK T6, Fortinet SSL VPN

No auth needed

Prerequisites: network access to the target device

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec SCANNER 2 stars

by zoomdbz · poc

https://github.com/zoomdbz/AEMPWN

View Code ZIP pw:eip

The repository contains a scanner tool for detecting CVE-2025-54253 and CVE-2025-54254 in Adobe Experience Manager (AEM) Forms. It supports safe detection, blind out-of-band (OOB) confirmation, and proof-of-concept validation workflows, but does not include functional exploit code for achieving RCE or XXE.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Adobe Experience Manager Forms

No auth needed

Prerequisites: Access to the target AEM Forms instance · Control over an HTTP server for OOB confirmation · LDAP server for RCE mode

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1082 - System Information Discovery

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec SUSPICIOUS 1 stars

by jm7knz · poc

https://github.com/jm7knz/CVE-2025-54253-Exploit-Demo

View Code ZIP pw:eip

The repository claims to provide a simulated PoC for CVE-2025-54253 (Adobe AEM OGNL Injection) but lacks actual exploit code, instead directing users to external downloads via GitHub Releases. The README is detailed but focuses on defensive guidance rather than technical exploitation details.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: Adobe AEM

No auth needed

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC 1 stars

by Shivshantp · poc

https://github.com/Shivshantp/CVE-2025-54253-Exploit-Demo

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2025-54253, an OGNL injection vulnerability in Adobe AEM Forms on JEE. The exploit demonstrates remote command execution via the `/adminui/debug` endpoint using crafted OGNL expressions.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Adobe AEM Forms on JEE (<= 6.5.23.0)

No auth needed

Prerequisites: Vulnerable Adobe AEM instance with exposed `/adminui/debug` endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1213 - Data from Information Repositories

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory

https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html

Exploit, Third Party Advisory

https://slcyber.io/assetnote-security-research-center/struts-devmode-in-2025-critical-pre-auth-vulnerabilities-in-adobe-experience-manager-forms/

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54253

Scores

CVSS v3 10.0

EPSS 0.2419

EPSS Percentile 96.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2025-10-15

VulnCheck KEV 2025-08-12

ENISA EUVD EUVD-2025-23647

CWE

CWE-863

Status published

Products (1)

adobe/experience_manager_forms < 6.5.23.0

Published Aug 05, 2025

KEV Added Oct 15, 2025

Tracked Since Feb 18, 2026