Adobe has announced emergency updates to resolve two critical zero-day vulnerabilities found in Adobe Experience Manager (AEM) Forms operating on JEE. The flaws, designated as CVE-2025-54253 and CVE-2025-54254, could enable unauthenticated remote code execution on susceptible systems, following the release of proof-of-concept (PoC) exploit chains by researchers.
CVE-2025-54253 pertains to a misconfiguration that permits arbitrary code execution and has been assigned a ‘Critical’ rating with a CVSS score of 8.6. The second vulnerability, CVE-2025-54254, involves improper restrictions concerning XML external entity (XXE) references, allowing unauthorized file system reads and rated with a maximum CVSS score of 10.0. Adobe has issued fixes for both vulnerabilities as detailed in their latest advisory.
The vulnerabilities were uncovered by researchers Shubham Shah and Adam Kues from Searchlight Cyber, who initially reported them to Adobe on April 28, 2025. This disclosure included a third issue, CVE-2025-49533, which Adobe had addressed on August 5. With over 90 days passing without fixes to the other two flaws, the researchers alerted Adobe about their forthcoming publication of the vulnerabilities, which led to a detailed technical write-up released on July 29.
According to the researchers, CVE-2025-49533 is a Java deserialization flaw in the FormServer module that allows for unauthenticated remote code execution. This vulnerability arises when a servlet processes user data without validation, allowing attackers to deliver malicious payloads for command execution on the server. In addition, the XXE vulnerability can be exploited by submitting a specially crafted XML payload to a web service handling SOAP authentication, which may then disclose local files to attackers.
The misconfiguration underlying CVE-2025-54253 relates to an authentication bypass in the /adminui module, created by a misconfigured developer setting that erroneously left Struts2’s development mode enabled. This oversight permits attackers to execute OGNL expressions via debug parameters in HTTP requests.
Given the seriousness of these vulnerabilities and their potential for remote code execution, all system administrators are urged to apply the latest updates and hotfixes without delay. If updates cannot be immediately installed, researchers advocate restricting platform access from the internet to mitigate potential exploitation.