CVE-2025-54254

HIGH EXPLOITED

Adobe Experience Manager Forms < 6.5.23.0 - XML External Entity Injection

Title source: llm

Exploitation Summary

CVE-2025-54254 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit.

AI-analyzed exploit summary The repository contains a scanner tool for detecting CVE-2025-54253 and CVE-2025-54254 in Adobe Experience Manager (AEM) Forms. It includes multiple modes for safe detection, blind out-of-band (OOB) confirmation, and proof-of-concept validation, but does not contain functional exploit code for achieving RCE or XXE.

Description

Adobe Experience Manager versions 6.5.23 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the local file system, scope is changed. Exploitation of this issue does not require user interaction.

Exploits (1)

vulncheck_xdb SCANNER

remote

https://github.com/zoomdbz/AEMPWN

View Code ZIP pw:eip

The repository contains a scanner tool for detecting CVE-2025-54253 and CVE-2025-54254 in Adobe Experience Manager (AEM) Forms. It includes multiple modes for safe detection, blind out-of-band (OOB) confirmation, and proof-of-concept validation, but does not contain functional exploit code for achieving RCE or XXE.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Adobe Experience Manager (AEM) Forms

No auth needed

Prerequisites: Controlled HTTP server for serving DTD files · LDAP server for JNDI injection (for RCE mode) · Outbound network access from the target

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html

Scores

CVSS v3 8.6

EPSS 0.0098

EPSS Percentile 77.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-08-12

CWE

CWE-611

Status published

Products (1)

adobe/experience_manager_forms < 6.5.23.0

Published Aug 05, 2025

Tracked Since Feb 18, 2026