The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical Adobe Experience Manager vulnerability to its KEV catalog, saying the decision was based on evidence of active exploitation.
According to Adobe, the flaw, tracked as CVE-2025-54253 with a CVSS score of 10.0, is a misconfiguration bug that can lead to arbitrary code execution and affects Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier; Adobe said it was addressed in version 6.5.0-0108 released in early August 2025 alongside CVE-2025-54254.
Security company FireCompass said the issue stems from a dangerously exposed /adminui/debug servlet that evaluates user-supplied OGNL expressions as Java code without requiring authentication or input validation, and that the endpoint can be abused to execute arbitrary system commands with a single crafted HTTP request (noted).
There is currently no public information on how the vulnerability is being exploited in real-world attacks, although Adobe acknowledged that proof-of-concept code for CVE-2025-54253 and CVE-2025-54254 is publicly available. CISA has advised Federal Civilian Executive Branch agencies to apply the necessary fixes by November 5, 2025.
The action follows a separate CISA addition the day before, when the agency added a critical improper-authentication vulnerability in SKYSEA Client View (CVE-2016-7836) to the KEV catalog; Japan Vulnerability Notes said in an advisory it released in 2016 that attacks exploiting that vulnerability have been observed in the wild.