Adobe has released an urgent security update for Adobe Experience Manager Forms on Java Enterprise Edition (JEE) to address two critical zero-day vulnerabilities that could allow attackers to execute arbitrary code and perform unauthorized file system access. 

The vulnerabilities, identified as CVE-2025-54253 and CVE-2025-54254, have been assigned the highest priority rating by Adobe, with proof-of-concept exploits already publicly available.

Key Takeaways1. Two vulnerabilities allow code execution and file access without authentication.2. Proof-of-concept exploits are already available, increasing attack risk.3. Update AEM Forms JEE immediately.

Adobe AEM Forms Vulnerabilities

The more severe vulnerability, CVE-2025-54253, stems from a misconfiguration issue categorized under CWE-16 and carries the maximum CVSS base score of 10.0. 

This flaw enables attackers to achieve arbitrary code execution without requiring authentication or user interaction, using the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. 

The vulnerability’s critical nature lies in its network-accessible attack vector with low complexity requirements, making it particularly dangerous for internet-facing AEM Forms deployments.

The second vulnerability, CVE-2025-54254, involves improper restriction of XML External Entity Reference (XXE) attacks, classified under CWE-611. 

With a CVSS score of 8.6 and vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, this flaw allows attackers to perform arbitrary file system reads, potentially exposing sensitive configuration files, credentials, and other confidential data.

Both vulnerabilities affect Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier across all platforms. 

Security researchers Shubham Shah and Adam Kues from Assetnote discovered and reported these critical flaws to Adobe through responsible disclosure channels.

CVETitleCVSS 3.1 ScoreSeverityCVE-2025-54253Misconfiguration (CWE-16) – Arbitrary Code Execution10.0CriticalCVE-2025-54254XML External Entity Reference (XXE) – Arbitrary File System Read8.6Critical

Mitigations

Adobe has confirmed that proof-of-concept exploits for both CVE-2025-54253 and CVE-2025-54254 are publicly available, significantly increasing the risk of active exploitation. 

However, the company states it is not currently aware of these vulnerabilities being exploited in the wild.

Organizations running affected AEM Forms installations must immediately update to version 6.5.0-0108, which addresses both security flaws. 

Adobe has classified this update with Priority 1 status, indicating the urgent nature of the patch deployment. Detailed update instructions are available through Adobe’s Experience League documentation platform.

The discovery of these zero-day vulnerabilities underscores the critical importance of maintaining current security patches for enterprise content management systems. 

Organizations should implement proper network segmentation and access controls while expediting the patching process to prevent potential compromise of their AEM Forms infrastructure.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial