Adobe issues emergency fixes for AEM Forms zero-days after PoCs released www.bleepingcomputer.com/news/secu…

Adobe released emergency updates for two zero-day flaws in Adobe Experience Manager (AEM) Forms on JEE after a PoC exploit chain was disclosed that can be used for unauthenticated, remote code execution on vulnerable instances.

The flaws are tracked as CVE-2025-54253 and CVE-2025-54254: CVE-2025-54253: Misconfiguration allowing arbitrary code execution. Rated “Critical” with a CVSS score of 8.6. CVE-2025-54254: Improper Restriction of XML External Entity Reference (XXE) allowing arbitrary file system read. Rated “Critical” with a maximum-severity 10.0 CVSS score.

The vulnerabilities were discovered by Shubham Shah and Adam Kues of Searchlight Cyber, who disclosed them to Adobe on April 28, 2025, along with a third issue, CVE-2025-49533. Adobe initially patched CVE-2025-49533 on August 5, leaving the other two flaws unfixed for over 90 days.