Organizations Warned of Exploited Adobe AEM Forms Vulnerability

The US cybersecurity agency CISA on Wednesday warned that a recent Adobe Experience Manager Forms (AEM Forms) vulnerability has been exploited in attacks.

Tracked as CVE-2025-54253 (CVSS score of 10.0), the flaw was patched in early August with an out-of-band update, as a proof-of-concept (PoC) exploit had already been public.

AEM Forms is a solution designed for creating, managing, and publishing digital forms and documents. Described as a misconfiguration issue, the security defect can be exploited for arbitrary code execution.

Shubham Shah and Adam Kues of Searchlight Cyber, who discovered the security hole, said it was a combination of authentication bypass and the Struts development mode for the admin UI being left enabled.

An attacker could craft a payload to execute Object-Graph Navigation Language (OGNL) expressions and could use public sandbox bypasses to achieve remote code execution, the researchers said.

Adobe addressed the vulnerability in AEM Forms on Java ...