A critical vulnerability in Adobe Experience Manager (AEM) Forms has come under intense scrutiny following confirmation of active exploitation in the wild. Tracked as CVE-2025-54253, the flaw involves a misconfiguration that enables unauthenticated attackers to remotely execute arbitrary code, posing a severe threat to organizations using vulnerable installations of AEM Forms on Java Enterprise Edition (JEE). The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded swiftly by adding the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and mandating mitigation actions from federal agencies.
Misconfigured Struts Debug Mode Creates Remote Code Execution Risk
CVE-2025-54253 stems from a misconfiguration related to Apache Struts’ “Development Mode” (DevMode), which was unintentionally left enabled in the administrative interface of certain AEM Forms deployments. This configuration exposes the `/adminui/debug` servlet, which processes user-supplied OGNL (Object-Graph Navigation Language) expressions. Because these expressions are interpreted as Java code, this creates a direct vector for remote code execution (RCE).
Exploitation Requires No Authentication and Yields Full System Compromise
Security researchers discovered the vulnerability as early as April 2025, and according to SOCRadar, a publicly available proof-of-concept (PoC) exploit was circulating prior to Adobe’s official patch release on August 5. The Cyber Express confirmed that not only CVE-2025-54253, but also a related vulnerability, CVE-2025-54254—allowing arbitrary file reads—were being actively exploited with PoCs published online.
Both flaws affect AEM Forms 6.5.23.0 and earlier versions. While CVE-2025-54254 carries a CVSS score of 8.6, CVE-2025-54253 has received the maximum criticality rating—10.0 on the Common Vulnerability Scoring System (CVSS)—underscoring its potential for wide-scale impact.
CISA Adds CVE-2025-54253 to KEV Catalog and Issues Federal Deadline
Over the following months, signs of active exploitation emerged. By October 15, 2025, CISA had officially added CVS-2025-54253 to its KEV catalog, signaling confirmed in-the-wild abuse targeting Adobe AEM Forms infrastructure. In line with its directive for managing critical vulnerabilities, CISA issued a binding operational directive requiring all Federal Civilian Executive Branch agencies to apply relevant patches by November 5, 2025.
This patching mandate aims to thwart potential exploitation on federal systems and reduce the attack surface across government networks. CISA emphasized that the same recommendation should extend to private enterprises given the severity of the flaw and ease of exploitation.
“This Adobe AEM flaw is as dangerous as they come,” wrote TechRadar, noting that the vulnerability not only bypasses traditional security mechanisms but also grants full control to unauthenticated attackers.
Adobe Patch Requires Urgent Deployment Across All Impacted Installations
Adobe addressed both CVE-2025-54253 and CVE-2025-54254 in version 6.5.0-0108 of AEM Forms on JEE, released in August. The [Adobe Security Bulletin APSB25-82](source ) strongly advises users to immediately deploy the patched version to prevent exploitation.
According to the advisory, the vulnerability arises from improper configuration choices during development, specifically the unintentional exposure of debug-related functionality in production environments—a textbook error with significant consequences.
Detection and Mitigation Recommendations for Security Teams
Organizations unable to patch immediately should take the following steps to mitigate exposure:
- Audit HTTP logs for unusual access to the `/adminui/debug` endpoint.
- Disable or restrict access to admin interface URLs from untrusted hosts.
- Leverage Web Application Firewalls (WAFs) to block attempted exploitation of OGNL injection patterns.
- Monitor systems for unusual processes or outbound connections that could signal a post-exploitation payload.
The security firm SOCRadar also recommends using behavioral analysis tools to detect unauthorized actions initiated from unexpected administration endpoints.
A Reminder to Verify Configuration in Production Environments
While Adobe Experience Manager (AEM) continues to be trusted widely as a robust content management platform, this incident serves as a stark reminder of the dangers associated with misconfigured development features in production systems.
As evident in the CVE-2025-54253 case, such oversights can transform benign developer utilities into high-impact attack vectors, especially when exposed via the public internet. Organizations should therefore evaluate their deployment pipelines to ensure staging configurations do not carry over into live environments.
For CISOs and infrastructure teams still running vulnerable versions of AEM Forms, the time to act has passed its urgent phase. With the vulnerability now actively exploited and verified proof-of-concept exploits in the wild, patching is not just recommended—it is mandatory.
