CVE-2025-54253

What is Adobe Experience Manager Forms?

Adobe Experience Manager (AEM) is an enterprise content management platform used by large organizations and government agencies for web content management, digital assets, and form-based data collection. AEM Forms on JEE (Java EE) is the server-side component that processes complex forms, automates document workflows, and manages digital signatures — deployed in environments handling sensitive regulatory documents, HR forms, financial applications, and government services. JEE deployments are typically on-premises and use the Apache Struts 2 framework internally for web request handling. AEM Forms on JEE is a different deployment model from AEM Forms on OSGi (cloud-native).

Overview

CVE-2025-54253 is a perfect-10 code execution vulnerability (CWE-863: Incorrect Authorization) in Adobe Experience Manager Forms on JEE. The root cause is a combination of an authentication bypass in the /adminui module and Apache Struts 2's development mode (devMode) being left enabled by default in the JEE deployment. devMode enables a debug servlet that evaluates user-supplied OGNL expressions as Java code — without authentication. A remote unauthenticated attacker can POST malicious OGNL to this endpoint and achieve full server-side RCE. Adobe issued an emergency out-of-band patch on 5 August 2025 after public PoC code began circulating. CISA confirmed exploitation of unpatched systems and added it to the KEV catalog 10 weeks later.

Affected Versions

AEM Forms on OSGi (cloud/SaaS) is not affected — this vulnerability only impacts the JEE (on-premises) deployment model.

Technical Details

The vulnerability (CWE-863: Incorrect Authorization) is a two-part exploit chain:

1. Authentication bypass in /adminui: The administrative UI module fails to enforce authentication before processing certain requests, allowing unauthenticated access to admin-only functionality.

2. Apache Struts 2 devMode OGNL execution: AEM Forms on JEE uses Apache Struts 2 internally. Struts 2's development mode (devMode=true) enables a /adminui/debug servlet that processes OGNL (Object-Graph Navigation Language) expressions submitted in HTTP parameters for debugging purposes. When devMode is active, OGNL expressions are evaluated as full Java code. Attackers use well-known Struts OGNL sandbox bypass techniques to achieve OS command execution from the OGNL context.

Adobe shipped AEM Forms on JEE with devMode=true in production, as this was a historical default that was never corrected for on-premises deployments. The combination of unauthenticated access to the admin UI and OGNL execution creates a pre-authentication RCE path with a CVSS of 10.0 (Scope:Changed because the Struts process can reach the underlying OS).

Companion CVE-2025-54254 was patched simultaneously in APSB25-82.

Discovery

Discovered by Shubham Shah and Adam Kues of Searchlight Cyber. Security researchers identified the issue as early as April 2025 and public PoC code began circulating before Adobe's patch — which triggered the emergency out-of-band release on 5 August 2025.

Exploitation Context

Public PoC code was circulating before the patch, leading Adobe to issue an emergency fix rather than waiting for a regular patch cycle. CISA added CVE-2025-54253 to the KEV catalog on 15 October 2025 — approximately 10 weeks after the patch — confirming exploitation of unpatched instances in the wild. The 10-week gap between patch and KEV listing indicates ongoing exploitation of organizations that had not applied the emergency update. No specific named threat actor has been publicly attributed. AEM Forms on JEE deployments are common in government agencies and large enterprises handling sensitive form data, making them high-value targets.

Remediation

1. Apply Adobe APSB25-82 patch (version 6.5.0-0108) immediately — download from Adobe's licensing portal and apply following the AEM Forms JEE patch installation guide.
2. Disable Struts devMode as a standalone hardening step: locate struts.xml or struts-default.xml in the AEM Forms JEE deployment and set <constant name="struts.devMode" value="false"/>. Restart the application server after changes.
3. Check for exploitation indicators: search application server logs for POST requests to /adminui/debug or /adminui/struts endpoints from unexpected source IPs, particularly before 5 August 2025.
4. Audit file system for new files (web shells, JSP backdoors) in the AEM Forms deployment directories.
5. Apply also the patch for CVE-2025-54254 — the same APSB25-82 patch addresses both vulnerabilities.
6. Restrict admin UI network access: apply firewall rules limiting access to /adminui/ to trusted administrative IP ranges only.