Brand ClaimErleben, was verbindet

Information on the use of cookies

This website uses only the technically necessary cookies to provide you with the best possible service.
Your session is identified by a so-called session cookie in order to maintain your language choice and to allow a comfortable form use. Furthermore, a login is only possible by using a cookie.
Further information can be found in the data protection information.

Accept

Advisory 2025-1583 - Adobe Experience Manager Forms: Multiple Vulnerabilities

Achtung: You can now also find information from the Vulnerability Advisory Service in the CTI portal!
The CTI portal is available at the following address: https://cti-portal.telekom.net/advisories/2025-1583
Notice: This advisory is by exception shown completely public. You will regularly receive details on vulnerability information as a customer via your login or through our daily advisory e-mail.
5
Attack probability
high
4
Potential damage
medium-high
remote anonymous attackerExploit available
Date
2025-08-06
Release
2025-10-16 UPDATE

Operating System

  • Sonstiges
  • UNIX
  • Windows

Software

  • Adobe Experience Manager Forms 6.5 Forms Service Pack 18-22 < 08.06.2025 hotfix
  • Adobe Experience Manager Forms 6.5 Forms Service Pack 23 < 08.06.2025 hotfix

Attack

A remote anonymous attacker can exploit multiple vulnerabilities in Adobe Experience Manager Forms in order to execute arbitrary code and to disclose arbitrary files.

Description

Adobe Experience Manager Forms is a forms management solution.

CVE-2025-54253

There is a vulnerability in Adobe Experience Manager (AEM) Forms. This vulnerability affect AEM on Java Enterprise Edition (JEE) due to a Misconfiguration vulnerability in the /adminui module. A remote anonymous attacker can leverage this vulnerability to bypass security mechanisms and execute code.

CVSSv2 Base Score: 10.0 / Temporal Score: 8.7
AV:N/AC:L/AU:N/C:C/I:C/A:C/E:H/RL:OF/RC:ND
CVSSv3.1 Base Score: 10.0 / Temporal Score: 9.5
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:X

CVE-2025-54254

There is a vulnerability in Adobe Experience Manager Forms on Java Enterprise Edition (JEE). This flaw exists due to an Improper Restriction of XML External Entity Reference ('XXE') vulnerability in a web service responsible for handling SOAP authentication. A remote anonymous attacker can exploit this vulnerability to access arbitrary files from the local file system.

CVSSv2 Base Score: 7.8 / Temporal Score: 6.1
AV:N/AC:L/AU:N/C:C/I:N/A:N/E:POC/RL:OF/RC:ND
CVSSv3.1 Base Score: 8.6 / Temporal Score: 7.7
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:X

According to Adobe PoC code taking advantage of the vulnerabilities CVE-2025-54253 and CVE-2025-54254 is available on the Internet. According to CISA, the CVE-2025-54253 vulnerability is being actively exploited.

Recommendation

Adobe provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html

Information

Adobe Security Bulletin dated 2025-08-05
https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html

NIST Vulnerability Database dated 2025-08-05
https://nvd.nist.gov/vuln/detail/CVE-2025-54253

NIST Vulnerability Database dated 2025-08-05
https://nvd.nist.gov/vuln/detail/CVE-2025-54254

PoC dated 2025-08-05
https://slcyber.io/assetnote-security-research-center/struts-devmode-in-2025-critical-pre-auth-vulnerabilities-in-adobe-experience-manager-forms/

UPDATE 2025-10-16

CISA Known Exploited Vulnerability Catalog dated 2025-10-15
https://www.cisa.gov/news-events/alerts/2025/10/15/cisa-adds-one-known-exploited-vulnerability-catalog

References

CVE:CVE-2025-54253
CVE:CVE-2025-54254
EUVD:EUVD-2025-23638
EUVD:EUVD-2025-23647

Disclaimer

*The probability of an attack is determined by the attacker's motivation, the necessary expend and the possibilities for an attack. The damage probability is determined by the expend needed to resolute the attack and probable indirect consequences of an attack for business processes. Telekom Security assumes worst case scenarios.

Copyright © 1999-2025 Deutsche Telekom Security GmbH. All rights reserved. Reproduction and distribution of this publication in any form - even in parts - without prior written permission is forbidden.

The information contained herein has been obtained from sources believed to be reliable and trusted or have been verified. Telekom Security can take liability for completeness, accuracy and correctness only in so far, as gross negligence or intention create liability. Any liability beyond it, in particular possible damages resulting from using or non-usability of the information contained herein, is excluded.