Normal view

Received before yesterday

Critical AEM Vulnerability (CVE-2025-54253) Actively Exploited, Says CISA

✇Cybersecurity News and Magazine
By:Ashish Khaitan
17 October 2025 at 08:56

CVE-2025-54253

A new vulnerability in Adobe Experience Manager (AEM) Forms has been confirmed as actively exploited in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as CVE-2025-54253, affects Adobe Experience Manager (AEM) Forms on Java Enterprise Edition (JEE) and was first patched in August 2025. 

Misconfiguration Leads to Remote Code Execution 

CVE-2025-54253 stems from a misconfiguration in AEM Forms that leaves the Apache Struts framework in “devMode” within the admin interface. This setting, combined with an authentication bypass, allows unauthenticated attackers to execute expressions that Struts evaluates, opening the door to remote code execution (RCE).  The vulnerability can be exploited through low-complexity attacks, requires no user interaction, and impacts AEM Forms versions 6.5.23.0 and earlier. Security researchers identified that the root cause is a failure to properly secure developer mode configurations, which should not be exposed in production environments. 

Public Exploits Accelerate the CVE-2025-54253 Threat 

Prior to Adobe’s patch release, proof-of-concept (PoC) exploits for both CVE-2025-54253 and a related issue, CVE-2025-54254, were publicly shared. These PoCs likely accelerated exploitation attempts by threat actors. Despite both vulnerabilities being publicly known, only CVE-2025-54253 has so far been added to the KEV catalog.  CISA has not clarified whether attackers are leveraging the public PoC directly or if they have developed their own methods of exploitation. The agency typically does not disclose technical details or attribution when updating the KEV catalog. 

Adobe Patch Released in August 2025 

Adobe addressed both vulnerabilities on August 5, 2025 through Security Bulletin APSB25-82. The company urged all users of AEM Forms on JEE to upgrade to version 6.5.0-0108 or later. At the time of the advisory, Adobe stated it was not aware of any active exploitation, though that situation has now changed with CISA's confirmation.  The second vulnerability, CVE-2025-54254, involves an Improper Restriction of XML External Entity Reference (CWE-611), which could allow an arbitrary file system to be read. While critical, it has not yet been confirmed as actively exploited. 

Federal Agencies Ordered to Patch by November 

CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary updates by November 5, 2025. This directive is part of a broader effort to secure federal networks from known high-risk threats.  The affected vulnerabilities have received critical CVSS base scores: 
  • CVE-2025-54253 (Incorrect Authorization): CVSS 10.0, enabling arbitrary code execution 
  • CVE-2025-54254 (XXE Vulnerability): CVSS 8.6, enabling arbitrary file reads 
Both vulnerabilities were reported to Adobe by Shubham Shah and Adam Kues of Assetnote, who worked with the vendor to coordinate disclosure and remediation.  While the AEM platform is a key component in digital experience delivery for many enterprises, misconfigurations like this one can introduce risks, particularly when they expose development features in production environments. The combination of Java Enterprise Edition (JEE) complexity and web-accessible admin interfaces increases the attack surface for products like AEM.  System administrators running Adobe Experience Manager Forms on JEE are strongly urged to verify that their systems are not running affected versions and to apply the latest security updates immediately. If immediate patching is not feasible, isolating AEM Forms from internet access, especially when deployed as a standalone service, can serve as a temporary mitigation. 

Patch Tuesday, June 2025 Edition

✇Krebs on Security
By:BrianKrebs
10 June 2025 at 20:10

Microsoft today released security updates to fix at least 67 vulnerabilities in its Windows operating systems and software. Redmond warns that one of the flaws is already under active attack, and that software blueprints showing how to exploit a pervasive Windows bug patched this month are now public.

The sole zero-day flaw this month is CVE-2025-33053, a remote code execution flaw in the Windows implementation of WebDAV — an HTTP extension that lets users remotely manage files and directories on a server. While WebDAV isn’t enabled by default in Windows, its presence in legacy or specialized systems still makes it a relevant target, said Seth Hoyt, senior security engineer at Automox.

Adam Barnett, lead software engineer at Rapid7, said Microsoft’s advisory for CVE-2025-33053 does not mention that the Windows implementation of WebDAV is listed as deprecated since November 2023, which in practical terms means that the WebClient service no longer starts by default.

“The advisory also has attack complexity as low, which means that exploitation does not require preparation of the target environment in any way that is beyond the attacker’s control,” Barnett said. “Exploitation relies on the user clicking a malicious link. It’s not clear how an asset would be immediately vulnerable if the service isn’t running, but all versions of Windows receive a patch, including those released since the deprecation of WebClient, like Server 2025 and Windows 11 24H2.”

Microsoft warns that an “elevation of privilege” vulnerability in the Windows Server Message Block (SMB) client (CVE-2025-33073) is likely to be exploited, given that proof-of-concept code for this bug is now public. CVE-2025-33073 has a CVSS risk score of 8.8 (out of 10), and exploitation of the flaw leads to the attacker gaining “SYSTEM” level control over a vulnerable PC.

“What makes this especially dangerous is that no further user interaction is required after the initial connection—something attackers can often trigger without the user realizing it,” said Alex Vovk, co-founder and CEO of Action1. “Given the high privilege level and ease of exploitation, this flaw poses a significant risk to Windows environments. The scope of affected systems is extensive, as SMB is a core Windows protocol used for file and printer sharing and inter-process communication.”

Beyond these highlights, 10 of the vulnerabilities fixed this month were rated “critical” by Microsoft, including eight remote code execution flaws.

Notably absent from this month’s patch batch is a fix for a newly discovered weakness in Windows Server 2025 that allows attackers to act with the privileges of any user in Active Directory. The bug, dubbed “BadSuccessor,” was publicly disclosed by researchers at Akamai on May 21, and several public proof-of-concepts are now available. Tenable’s Satnam Narang said organizations that have at least one Windows Server 2025 domain controller should review permissions for principals and limit those permissions as much as possible.

Adobe has released updates for Acrobat Reader and six other products addressing at least 259 vulnerabilities, most of them in an update for Experience Manager. Mozilla Firefox and Google Chrome both recently released security updates that require a restart of the browser to take effect. The latest Chrome update fixes two zero-day exploits in the browser (CVE-2025-5419 and CVE-2025-4664).

For a detailed breakdown on the individual security updates released by Microsoft today, check out the Patch Tuesday roundup from the SANS Internet Storm Center. Action 1 has a breakdown of patches from Microsoft and a raft of other software vendors releasing fixes this month. As always, please back up your system and/or data before patching, and feel free to drop a note in the comments if you run into any problems applying these updates.

❌