The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Adobe Experience Manager to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerability in question is CVE-2025-54253 (CVSS score: 10.0), a maximum-severity misconfiguration bug that could result in arbitrary code execution.
According to Adobe, the shortcoming impacts Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier. It was addressed in version 6.5.0-0108 released early August 2025, alongside CVE-2025-54254 (CVSS score: 8.6).
Details of the two vulnerabilities were disclosed by Searchlight Cyber researchers Adam Kues and Shubham Shah in July 2025, describing CVE-2025-54253 as an “authentication bypass to [remote code execution] chain via Struts2 devmode” and CVE-2025-54254 as an XML external entity (XXE) injection within AEM Forms web services.
The flaw results from the dangerously exposed /adminui/debug servlet, which evaluates user-supplied OGNL expressions as Java code without requiring authentication or input validation,” security company FireCompass noted. “The endpoint’s misuse enables attackers to execute arbitrary system commands with a single crafted HTTP request.”
There is currently no information publicly available on how the security flaw is being exploited in real-world attacks, although Adobe acknowledged in its advisory that “CVE-2025-54253 and CVE-2025-54254 have a publicly available proof-of-concept.”
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are advised to apply the necessary fixes by November 5, 2025.
The development comes a day after CISA also added a critical improper authentication vulnerability in SKYSEA Client View (CVE-2016-7836, CVSS score: 9.8) to the KEV catalog. Japan Vulnerability Notes (JVN), in an advisory released in late 2016, said “attacks exploiting this vulnerability have been observed in the wild.”
“SKYSEA Client View contains an improper authentication vulnerability that allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program,” the agency said.
