The Cybersecurity and Infrastructure Agency (CISA) has added a critical Adobe Experience Manager (AEM) to its Known Exploited (KEV) Catalog, following confirmation of active exploitation in the wild.
The , tracked as CVE-2025-54253, carries the maximum CVSS severity score of 10.0, indicating a critical impact that allows unauthenticated arbitrary code execution on vulnerable servers.
According to Adobe’s bulletin, the affects Adobe Experience Manager (AEM) Forms versions 6.5.23 and earlier.
It stems from a misconfiguration that could allow attackers to bypass built-in security mechanisms and execute arbitrary code on the affected system — without requiring any user interaction.
“Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution,” Adobe confirmed. “An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.”
Adobe acknowledged that CVE-2025-54253 now has public proof-of-concept (PoC) exploits circulating online.
“Adobe is aware that CVE-2025-54253 and CVE-2025-54254 have a publicly available proof-of-concept,” the company wrote in its security bulletin.
This revelation significantly heightens the risk, as PoC exploit availability often accelerates exploitation by ransomware groups, botnets, and initial access brokers looking to compromise enterprise environments.
Security researchers have warned that AEM instances are often exposed to the internet and used in critical content delivery and workflow management — making them a prime target for exploitation campaigns.
In response to the confirmed exploitation, CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies remediate CVE-2025-54253 by November 5, 2025.
- Adobe AEM Forms Patch: Critical Flaws (CVE-2025-54253, CVSS 10.0) Allow RCE & Arbitrary File Read, Public PoCs Available
- Adobe’s Critical Response: Patching the CVE-2023-50164 Vulnerability in AEM Forms
- Adobe released security update to address multiple security vulnerabilities
- Adobe releases the security updates to fix Remote Code Execution/Arbitrary file deletion in multi products
- Adobe releases the security updates to fix high-risk flaws in multiple products
