Active Exploitation of Critical Adobe AEM Forms Misconfiguration
Summary
Hide ▲
Show ▼
A critical misconfiguration flaw in Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier is under active exploitation. The flaw, CVE-2025-54253, allows arbitrary code execution via an exposed servlet. Adobe released a patch in August 2025. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must apply the necessary fixes by November 5, 2025. The flaw was discovered by Adam Kues and Shubham Shah of Searchlight Cyber, who disclosed it to Adobe on April 28, 2025. The flaw is caused by an exposed /adminui/debug servlet that evaluates user-supplied OGNL expressions as Java code without authentication or input validation. This enables attackers to execute arbitrary system commands with a single crafted HTTP request. A proof-of-concept exploit is publicly available.
Timeline
-
16.10.2025 07:26 2 articles · 20h ago
Adobe AEM Forms Misconfiguration Exploited in the Wild
The flaw was discovered by Adam Kues and Shubham Shah of Searchlight Cyber, who disclosed it to Adobe on April 28, 2025.
Show sources
- CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack — thehackernews.com — 16.10.2025 07:26
- CISA: Maximum-severity Adobe flaw now exploited in attacks — www.bleepingcomputer.com — 16.10.2025 17:28
Information Snippets
-
The flaw, CVE-2025-54253, affects Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier.
First reported: 16.10.2025 07:262 sources, 2 articlesShow sources
- CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack — thehackernews.com — 16.10.2025 07:26
- CISA: Maximum-severity Adobe flaw now exploited in attacks — www.bleepingcomputer.com — 16.10.2025 17:28
-
The vulnerability is a misconfiguration bug that results in arbitrary code execution.
First reported: 16.10.2025 07:262 sources, 2 articlesShow sources
- CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack — thehackernews.com — 16.10.2025 07:26
- CISA: Maximum-severity Adobe flaw now exploited in attacks — www.bleepingcomputer.com — 16.10.2025 17:28
-
The flaw is caused by an exposed /adminui/debug servlet that evaluates user-supplied OGNL expressions as Java code without authentication or input validation.
First reported: 16.10.2025 07:262 sources, 2 articlesShow sources
- CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack — thehackernews.com — 16.10.2025 07:26
- CISA: Maximum-severity Adobe flaw now exploited in attacks — www.bleepingcomputer.com — 16.10.2025 17:28
-
The flaw allows attackers to execute arbitrary system commands with a single crafted HTTP request.
First reported: 16.10.2025 07:262 sources, 2 articlesShow sources
- CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack — thehackernews.com — 16.10.2025 07:26
- CISA: Maximum-severity Adobe flaw now exploited in attacks — www.bleepingcomputer.com — 16.10.2025 17:28
-
Adobe released a patch for the vulnerability in August 2025 with the release of version 6.5.0-0108.
First reported: 16.10.2025 07:262 sources, 2 articlesShow sources
- CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack — thehackernews.com — 16.10.2025 07:26
- CISA: Maximum-severity Adobe flaw now exploited in attacks — www.bleepingcomputer.com — 16.10.2025 17:28
-
CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation.
First reported: 16.10.2025 07:262 sources, 2 articlesShow sources
- CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack — thehackernews.com — 16.10.2025 07:26
- CISA: Maximum-severity Adobe flaw now exploited in attacks — www.bleepingcomputer.com — 16.10.2025 17:28
-
Federal Civilian Executive Branch (FCEB) agencies must apply the necessary fixes by November 5, 2025.
First reported: 16.10.2025 07:262 sources, 2 articlesShow sources
- CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack — thehackernews.com — 16.10.2025 07:26
- CISA: Maximum-severity Adobe flaw now exploited in attacks — www.bleepingcomputer.com — 16.10.2025 17:28
-
A proof-of-concept exploit for the vulnerability is publicly available.
First reported: 16.10.2025 07:262 sources, 2 articlesShow sources
- CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack — thehackernews.com — 16.10.2025 07:26
- CISA: Maximum-severity Adobe flaw now exploited in attacks — www.bleepingcomputer.com — 16.10.2025 17:28
-
The flaw was discovered by Adam Kues and Shubham Shah of Searchlight Cyber, who disclosed it to Adobe on April 28, 2025.
First reported: 16.10.2025 17:281 source, 1 articleShow sources
- CISA: Maximum-severity Adobe flaw now exploited in attacks — www.bleepingcomputer.com — 16.10.2025 17:28
Similar Happenings
Active Exploitation of Unpatched Gladinet and TrioFox Vulnerability
Active exploitation of an unpatched security flaw in Gladinet CentreStack and TrioFox products continues. The zero-day vulnerability, CVE-2025-11371, is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. This flaw affects all versions prior to and including 16.7.10368.56560. The vulnerability has been exploited to retrieve the machine key from the application Web.config file, enabling remote code execution via a ViewState deserialization vulnerability. Three customers have been impacted so far. A patch for the zero-day vulnerability CVE-2025-11371 is now available in CentreStack version 16.10.10408.56683. Users are advised to upgrade to this version or, if upgrading is not possible, disable the "temp" handler within the Web.config file for UploadDownloadProxy to mitigate the risk. The vendor, Gladinet, has been notified and is working on a fix. The vulnerability was detected by researchers at Huntress on September 27, 2025. The flaw was exploited to obtain a machine key and execute code remotely. The attack used an older deserialization vulnerability (CVE-2025-30406) to achieve remote code execution (RCE) through ViewState. The mitigations will impact some functionality of the platform but prevent exploitation of CVE-2025-11371.
Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched
The critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere MFT has been actively exploited by the cybercrime group Storm-1175 in Medusa ransomware attacks since at least September 11, 2025. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. Fortra has released patches in versions 7.8.4 and 7.6.3. The vulnerability was disclosed on September 18, 2025, but exploitation began a week earlier. The Shadowserver Foundation is monitoring over 513 GoAnywhere MFT instances exposed online, although the number of patched instances is unknown. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability enables an attacker to bypass signature verification by crafting a forged license response signature, allowing the deserialization of arbitrary, attacker-controlled objects. Successful exploitation could result in command injection and potential remote code execution (RCE) on the affected system. The threat actor used legitimate remote monitoring and management (RMM) tools SimpleHelp and MeshAgent to launch binaries following exploitation. The threat actor utilized RMM tools to establish command-and-control (C2) infrastructure and set up a Cloudflare tunnel for secure C2 communication. The deployment and execution of Rclone was observed in at least one victim environment during the exfiltration stage. Medusa ransomware has over 300 global victims in critical infrastructure sectors, including a confirmed attack on a US healthcare organization in early 2025. Fortra began investigating the vulnerability on September 11, 2025, following a customer report. Fortra contacted on-premises customers with publicly accessible admin consoles and notified law enforcement on September 11, 2025. A hotfix for versions 7.6.x, 7.7.x, and 7.8.x was released on September 12, 2025. Full patches for versions 7.6.3 and 7.8.4 were released on September 15, 2025. The CVE for the vulnerability was formally published on September 18, 2025. Fortra confirmed a limited number of reports of unauthorized activity related to CVE-2025-10035. Fortra recommends restricting admin console access over the internet and enabling monitoring. watchTowr CEO and founder Benjamin Harris reiterated the need for transparency from Fortra regarding the private keys used in the exploit.
Critical Out-of-Bounds Write Vulnerability in WatchGuard Firebox Firewalls
WatchGuard has released security updates to address a critical remote code execution vulnerability (CVE-2025-9242) in Firebox firewalls. This flaw, caused by an out-of-bounds write weakness, affects devices running Fireware OS 11.x, 12.x, and 2025.1. Successful exploitation can allow attackers to execute malicious code remotely on vulnerable devices. The vulnerability impacts devices configured to use IKEv2 VPN, and devices may remain at risk even if the vulnerable configurations have been deleted. WatchGuard has provided patches and a temporary workaround for administrators who cannot immediately update their devices. The vulnerability is not yet being exploited in the wild, but administrators are advised to patch their devices promptly.
SAP S/4HANA Command Injection Vulnerability CVE-2025-42957 Exploited in the Wild
A critical command injection vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is actively exploited in the wild. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and Private Cloud editions of SAP S/4HANA. The flaw was patched in SAP's August 2025 updates, but exploitation has been observed. SecurityBridge Threat Research Labs, BleepingComputer, and Pathlock have reported active exploitation. Organizations are advised to apply patches, monitor logs for suspicious RFC calls or new admin users, implement SAP's Unified Connectivity framework (UCON) to restrict RFC usage, and take additional security measures to mitigate the risk.
FreePBX Zero-Day Exploited in the Wild, Emergency Patch Released
A zero-day vulnerability in FreePBX (CVE-2025-57819) is actively exploited in the wild. The flaw allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution. FreePBX versions 15, 16, and 17 are affected. The exploit has been used since at least August 21, 2025, targeting systems with inadequate IP filtering or access control lists (ACLs). Sangoma has released an emergency patch and indicators of compromise (IOCs) to help administrators detect exploitation. Users are advised to upgrade, restrict public access to the administrator control panel, and check for a known issue in the v17 'framework' module that may prevent automated update notification emails. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by September 19, 2025.