CVE-2025-54253 (GCVE-0-2025-54253)
Vulnerability from cvelistv5 – Published: 2025-08-05 16:53 – Updated: 2026-02-26 17:49- CWE-863 - Incorrect Authorization (CWE-863)
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/aem-for… | vendor-advisory |
| https://slcyber.io/assetnote-security-research-ce… | technical-description |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Experience Manager |
Affected:
0 , ≤ 6.5.23
(semver)
|
CISA
Known Exploited Vulnerability - GCVE BCP-07 Compliant
Exploited: Yes
Timestamps
Scope
Evidence
Type: Vendor Report
Signal: Successful Exploitation
Confidence: 80%
Source: cisa-kev
Details
| Cwes | |
|---|---|
| Feed | CISA Known Exploited Vulnerabilities Catalog |
| Product | Experience Manager (AEM) Forms |
| Due Date | 2025-11-05 |
| Date Added | 2025-10-15 |
| Vendorproject | Adobe |
| Vulnerabilityname | Adobe Experience Manager Forms Code Execution Vulnerability |
| Knownransomwarecampaignuse | Unknown |
References
Shadowserver
Known Exploited Vulnerability - GCVE BCP-07 Compliant
Exploited: Yes
Characteristics
Timestamps
Scope
Evidence
Type: Honeypot
Signal: In The Wild Attempts
Confidence: 70%
Source: shadowserver
Details
| 1D | 1 |
|---|---|
| Iot | no |
| Feed | Shadowserver Foundation honeypot/exploited-vulnerabilities |
| Type | http-scan |
| Class | cms |
| 7D Avg | 1 |
| Vendor | Adobe |
| 30D Avg | 0 |
| 90D Avg | 0 |
| Product | Adobe Experience Manager |
| Cisa Kev | no |
| Connections | 1 |
| Observation Date | 2025-09-02 |
| Vulnerability Class | CVSS |
| Vulnerability Score | 10 |
| Vulnerability Severity | Critical |
References
KEVIntel
Known Exploited Vulnerability - GCVE BCP-07 Compliant
Exploited: Yes
Timestamps
Scope
Evidence
Type: Public Report
Signal: Successful Exploitation
Confidence: 70%
Source: kevintel
Details
| Feed | KEVIntel (kevintel.com) |
|---|---|
| Title | Adobe Experience Manager | Incorrect Authorization (CWE-863) |
| Vendor | Adobe |
| Product | Adobe Experience Manager |
| Added Date | 2026-06-01T10:42:16.439Z |
| Cvss Score | 10.0 |
| Epss Score | 0.89824 |
| Cvss Severity | CRITICAL |
| Epss Percentile | 0.99775 |
| Used In Malware | unknown |
| Ahead Of Cisa Kev |
|
| Not Yet In Cisa Kev | False |
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54253",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T03:55:35.130962Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-10-15",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54253"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:49:57.370Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://slcyber.io/assetnote-security-research-center/struts-devmode-in-2025-critical-pre-auth-vulnerabilities-in-adobe-experience-manager-forms/"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54253"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-15T00:00:00.000Z",
"value": "CVE-2025-54253 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Experience Manager",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.23",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-08-05T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 10,
"environmentalSeverity": "CRITICAL",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "HIGH",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 10,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:24:37.832Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Experience Manager | Incorrect Authorization (CWE-863)"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2025-54253",
"datePublished": "2025-08-05T16:53:40.742Z",
"dateReserved": "2025-07-17T21:15:02.455Z",
"dateUpdated": "2026-02-26T17:49:57.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2025-54253",
"dateAdded": "2025-10-15",
"dueDate": "2025-11-05",
"knownRansomwareCampaignUse": "Unknown",
"notes": "https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-54253",
"product": "Experience Manager (AEM) Forms",
"requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"shortDescription": "Adobe Experience Manager Forms in JEE contains an unspecified vulnerability that allows for arbitrary code execution.",
"vendorProject": "Adobe",
"vulnerabilityName": "Adobe Experience Manager Forms Code Execution Vulnerability"
},
"epss": {
"cve": "CVE-2025-54253",
"date": "2026-07-12",
"epss": "0.87515",
"percentile": "0.99737"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-54253\",\"sourceIdentifier\":\"psirt@adobe.com\",\"published\":\"2025-08-05T17:15:29.283\",\"lastModified\":\"2026-06-17T09:39:43.257\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.\"},{\"lang\":\"es\",\"value\":\"Las versiones 6.5.23 y anteriores de Adobe Experience Manager se ven afectadas por una vulnerabilidad de configuraci\u00f3n incorrecta que podr\u00eda provocar la ejecuci\u00f3n de c\u00f3digo arbitrario. Un atacante podr\u00eda aprovechar esta vulnerabilidad para eludir los mecanismos de seguridad y ejecutar c\u00f3digo. La explotaci\u00f3n de este problema no requiere la interacci\u00f3n del usuario y se modifica el alcance.\"}],\"affected\":[{\"source\":\"psirt@adobe.com\",\"affectedData\":[{\"vendor\":\"Adobe\",\"product\":\"Adobe Experience Manager\",\"defaultStatus\":\"affected\",\"versions\":[{\"version\":\"0\",\"lessThanOrEqual\":\"6.5.23\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@adobe.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2025-10-15T03:55:35.130962Z\",\"id\":\"CVE-2025-54253\",\"options\":[{\"exploitation\":\"active\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"cisaExploitAdd\":\"2025-10-15\",\"cisaActionDue\":\"2025-11-05\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"Adobe Experience Manager Forms Code Execution Vulnerability\",\"weaknesses\":[{\"source\":\"psirt@adobe.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:experience_manager_forms:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"6.5.23.0\",\"matchCriteriaId\":\"1449BBE4-7484-4972-8D04-BEC04C159F44\"}]}]}],\"references\":[{\"url\":\"https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html\",\"source\":\"psirt@adobe.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://slcyber.io/assetnote-security-research-center/struts-devmode-in-2025-critical-pre-auth-vulnerabilities-in-adobe-experience-manager-forms/\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54253\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}",
"redhat_vex": {
"current_release_date": "2026-03-27T08:31:37+00:00",
"cve": "CVE-2025-54253",
"id": "CVE-2025-54253",
"initial_release_date": "2025-08-05T17:00:00+00:00",
"product_status:known_not_affected": "1",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "Adobe Experience Manager | Incorrect Authorization (CWE-863)",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-54253.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54253\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-15T03:55:35.130962Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2025-10-15\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54253\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-10-15T00:00:00.000Z\", \"value\": \"CVE-2025-54253 added to CISA KEV\"}], \"references\": [{\"url\": \"https://slcyber.io/assetnote-security-research-center/struts-devmode-in-2025-critical-pre-auth-vulnerabilities-in-adobe-experience-manager-forms/\", \"tags\": [\"technical-description\"]}, {\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54253\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-05T17:54:04.841Z\"}}], \"cna\": {\"title\": \"Adobe Experience Manager | Incorrect Authorization (CWE-863)\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"modifiedScope\": \"CHANGED\", \"temporalScore\": 10, \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"remediationLevel\": \"NOT_DEFINED\", \"reportConfidence\": \"NOT_DEFINED\", \"temporalSeverity\": \"CRITICAL\", \"availabilityImpact\": \"HIGH\", \"environmentalScore\": 10, \"privilegesRequired\": \"NONE\", \"exploitCodeMaturity\": \"NOT_DEFINED\", \"integrityRequirement\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NETWORK\", \"confidentialityImpact\": \"HIGH\", \"environmentalSeverity\": \"CRITICAL\", \"availabilityRequirement\": \"NOT_DEFINED\", \"modifiedIntegrityImpact\": \"HIGH\", \"modifiedUserInteraction\": \"NONE\", \"modifiedAttackComplexity\": \"LOW\", \"confidentialityRequirement\": \"NOT_DEFINED\", \"modifiedAvailabilityImpact\": \"HIGH\", \"modifiedPrivilegesRequired\": \"NONE\", \"modifiedConfidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Adobe\", \"product\": \"Adobe Experience Manager\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.5.23\"}], \"defaultStatus\": \"affected\"}], \"datePublic\": \"2025-08-05T17:00:00.000Z\", \"references\": [{\"url\": \"https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"Incorrect Authorization (CWE-863)\"}]}], \"providerMetadata\": {\"orgId\": \"078d4453-3bcd-4900-85e6-15281da43538\", \"shortName\": \"adobe\", \"dateUpdated\": \"2025-10-16T18:24:37.832Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-54253\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T22:45:21.242Z\", \"dateReserved\": \"2025-07-17T21:15:02.455Z\", \"assignerOrgId\": \"078d4453-3bcd-4900-85e6-15281da43538\", \"datePublished\": \"2025-08-05T16:53:40.742Z\", \"assignerShortName\": \"adobe\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.