What's Happening?
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a vulnerability in Adobe Experience Manager Forms (AEM Forms) that has been actively exploited in cyberattacks.
The flaw, identified as CVE-2025-54253 with a CVSS score of 10.0, was patched in August following the release of a proof-of-concept exploit. AEM Forms is a tool used for creating and managing digital forms and documents, and the vulnerability stems from a misconfiguration that allows for arbitrary code execution. Researchers Shubham Shah and Adam Kues from Searchlight Cyber discovered the issue, which involves an authentication bypass and the Struts development mode being left enabled. This allows attackers to execute Object-Graph Navigation Language (OGNL) expressions and achieve remote code execution. Adobe has addressed the vulnerability in its Java Enterprise Edition version 6.5.0-0108, which also fixed another issue, CVE-2025-54254, related to XML External Entity reference. CISA has added CVE-2025-54253 to its Known Exploited Vulnerabilities catalog, urging federal agencies to patch their systems within three weeks.
Why It's Important?
The exploitation of the Adobe AEM Forms vulnerability poses significant risks to U.S. federal agencies and potentially other organizations using the software. The vulnerability allows attackers to execute arbitrary code, which could lead to unauthorized access, data breaches, and disruption of services. Given the widespread use of AEM Forms in managing digital documents, the flaw could impact numerous systems and processes within government agencies. The directive from CISA highlights the urgency of addressing this security issue to prevent potential exploitation. Organizations that fail to patch the vulnerability may face increased risks of cyberattacks, which could compromise sensitive information and disrupt operations. The situation underscores the importance of timely updates and vigilance in cybersecurity practices to protect against emerging threats.
What's Next?
Federal agencies are required to identify vulnerable installations of AEM Forms and apply the necessary patches within three weeks, as mandated by Binding Operational Directive 22-01. While this directive specifically targets federal agencies, CISA recommends that all organizations using AEM Forms apply the patches to mitigate risks. Adobe continues to release updates to address security defects across its products, including critical issues in its Connect collaboration suite. Organizations should remain vigilant and ensure their systems are up-to-date to protect against potential exploitation. The cybersecurity community may continue to monitor the situation for further developments and potential new vulnerabilities.
Beyond the Headlines
The exploitation of vulnerabilities like those in Adobe AEM Forms highlights broader challenges in cybersecurity, particularly the need for robust security measures and proactive patch management. As cyber threats evolve, organizations must prioritize security to safeguard their digital assets. The incident also raises questions about the security of widely used software solutions and the importance of collaboration between software vendors and cybersecurity agencies to address vulnerabilities promptly.
