CISA Adds Critical Adobe Flaw to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security vulnerability impacting Adobe Experience Manager (AEM) to its Known Exploited Vulnerabilities (KEV) catalog. The action, taken on Wednesday, October 15, 2025, follows evidence of the flaw’s active exploitation in the wild. The vulnerability is identified as CVE-2025-54253 and carries a maximum severity CVSS score of 10.0.

This critical issue is a misconfiguration bug that can result in arbitrary code execution. According to an advisory from Adobe, the flaw affects Adobe Experience Manager (AEM) Forms on JEE, specifically versions 6.5.23.0 and earlier. The company addressed this vulnerability in version 6.5.0-0108, which was released in early August 2025. That same update also patched a separate vulnerability, CVE-2025-54254, which has a CVSS score of 8.6.

Technical Details of the AEM Exploitation

The security company FireCompass provided details on the nature of the vulnerability. The firm noted that the flaw stems from the dangerously exposed /adminui/debug servlet. This component evaluates user-supplied Object-Graph Navigation Language (OGNL) expressions as Java code. Crucially, it does so without requiring any authentication or performing input validation.

This lack of security controls allows for a straightforward exploitation method. FireCompass stated, “The endpoint’s misuse enables attackers to execute arbitrary system commands with a single crafted HTTP request.” The addition of this vulnerability to the KEV catalog underscores the immediate threat it poses to organizations using unpatched versions of the Adobe software.