CVE-2025-54253

Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html	Vendor Advisory
https://slcyber.io/assetnote-security-research-center/struts-devmode-in-2025-critical-pre-auth-vulnerabilities-in-adobe-experience-manager-forms/	Exploit Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54253	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:adobe:experience_manager_forms:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-05 17:15

Updated : 2025-10-23 14:51

NVD link : CVE-2025-54253

Mitre link : CVE-2025-54253

CVE.ORG link : CVE-2025-54253

JSON object : View

Products Affected

adobe

experience_manager_forms

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2025-54253", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}]}, "published": "2025-08-05T17:15:29.283", "references": [{"url": "https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://slcyber.io/assetnote-security-research-center/struts-devmode-in-2025-critical-pre-auth-vulnerabilities-in-adobe-experience-manager-forms/", "tags": ["Exploit", "Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54253", "tags": ["Third Party Advisory", "US Government Resource"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed."}, {"lang": "es", "value": "Las versiones 6.5.23 y anteriores de Adobe Experience Manager se ven afectadas por una vulnerabilidad de configuraci\u00f3n incorrecta que podr\u00eda provocar la ejecuci\u00f3n de c\u00f3digo arbitrario. Un atacante podr\u00eda aprovechar esta vulnerabilidad para eludir los mecanismos de seguridad y ejecutar c\u00f3digo. La explotaci\u00f3n de este problema no requiere la interacci\u00f3n del usuario y se modifica el alcance."}], "lastModified": "2025-10-23T14:51:25.423", "cisaActionDue": "2025-11-05", "cisaExploitAdd": "2025-10-15", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:adobe:experience_manager_forms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1449BBE4-7484-4972-8D04-BEC04C159F44", "versionEndIncluding": "6.5.23.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Adobe Experience Manager Forms Code Execution Vulnerability"}