Advisory 2025-1583 - Adobe Experience Manager Forms: Multiple Vulnerabilities
The CTI portal is available at the following address: https://cti-portal.telekom.net/advisories/2025-1583
5 |
|
4 |
|
- Date
- 2025-08-06
- Release
- 2025-10-16 UPDATE
Operating System
- Sonstiges
- UNIX
- Windows
Software
- Adobe Experience Manager Forms 6.5 Forms Service Pack 18-22 < 08.06.2025 hotfix
- Adobe Experience Manager Forms 6.5 Forms Service Pack 23 < 08.06.2025 hotfix
Attack
A remote anonymous attacker can exploit multiple vulnerabilities in Adobe Experience Manager Forms in order to execute arbitrary code and to disclose arbitrary files.
Description
Adobe Experience Manager Forms is a forms management solution.
CVE-2025-54253
There is a vulnerability in Adobe Experience Manager (AEM) Forms. This vulnerability affect AEM on Java Enterprise Edition (JEE) due to a Misconfiguration vulnerability in the /adminui module. A remote anonymous attacker can leverage this vulnerability to bypass security mechanisms and execute code.
CVE-2025-54254
There is a vulnerability in Adobe Experience Manager Forms on Java Enterprise Edition (JEE). This flaw exists due to an Improper Restriction of XML External Entity Reference ('XXE') vulnerability in a web service responsible for handling SOAP authentication. A remote anonymous attacker can exploit this vulnerability to access arbitrary files from the local file system.
According to Adobe PoC code taking advantage of the vulnerabilities CVE-2025-54253 and CVE-2025-54254 is available on the Internet. According to CISA, the CVE-2025-54253 vulnerability is being actively exploited.
Recommendation
Adobe provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html
Information
Adobe Security Bulletin dated 2025-08-05
https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html
NIST Vulnerability Database dated 2025-08-05
https://nvd.nist.gov/vuln/detail/CVE-2025-54253
NIST Vulnerability Database dated 2025-08-05
https://nvd.nist.gov/vuln/detail/CVE-2025-54254
PoC dated 2025-08-05
https://slcyber.io/assetnote-security-research-center/struts-devmode-in-2025-critical-pre-auth-vulnerabilities-in-adobe-experience-manager-forms/
CISA Known Exploited Vulnerability Catalog dated 2025-10-15
https://www.cisa.gov/news-events/alerts/2025/10/15/cisa-adds-one-known-exploited-vulnerability-catalog
References
CVE:CVE-2025-54253CVE:CVE-2025-54254
EUVD:EUVD-2025-23638
EUVD:EUVD-2025-23647
Disclaimer
*The probability of an attack is determined by the attacker's motivation, the necessary expend and the possibilities for an attack. The damage probability is determined by the expend needed to resolute the attack and probable indirect consequences of an attack for business processes. Telekom Security assumes worst case scenarios.
Copyright © 1999-2025 Deutsche Telekom Security GmbH. All rights reserved. Reproduction and distribution of this publication in any form - even in parts - without prior written permission is forbidden.
The information contained herein has been obtained from sources believed to be reliable and trusted or have been verified. Telekom Security can take liability for completeness, accuracy and correctness only in so far, as gross negligence or intention create liability. Any liability beyond it, in particular possible damages resulting from using or non-usability of the information contained herein, is excluded.