CVE-2025-49533
Published: 08 July 2025
Summary
CVE-2025-49533 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Adobe Experience Manager. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Adobe Experience Manager (MS) versions 6.5.23.0 and earlier contain a Deserialization of Untrusted Data vulnerability tracked as CVE-2025-49533 and CWE-502. The flaw permits arbitrary code execution and carries a CVSS 3.1 base score of 9.8 reflecting network attack vector, low attack complexity, no required privileges or user interaction, and unchanged scope.
An unauthenticated attacker can send a malicious serialized payload over the network to trigger the vulnerability and obtain arbitrary code execution on the affected system, resulting in full compromise of confidentiality, integrity, and availability.
Adobe has published mitigation guidance in security advisory APSB25-67, available at https://helpx.adobe.com/security/products/aem-forms/apsb25-67.html. The EPSS score for this CVE currently stands at 0.7643 with a recorded peak of 0.7749.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20752
Vulnerability details
Adobe Experience Manager (MS) versions 6.5.23.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction. Scope is unchanged.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated deserialization RCE on public-facing AEM server directly enables T1190 (Exploit Public-Facing Application) for initial access and subsequent arbitrary code execution via T1059 (Command and Scripting Interpreter).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely installation of vendor patches to remediate the specific deserialization of untrusted data flaw in Adobe Experience Manager.
Mandates validation of information inputs at deserialization points to block untrusted data from triggering arbitrary code execution.
Provides memory safeguards like non-executable regions to mitigate code execution from deserialization gadget chains.