Cyber Resilience

CVE-2025-49533

CriticalRCE

Published: 08 July 2025

Published
08 July 2025
Modified
18 July 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7643 99.0th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49533 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Adobe Experience Manager. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe Experience Manager (MS) versions 6.5.23.0 and earlier contain a Deserialization of Untrusted Data vulnerability tracked as CVE-2025-49533 and CWE-502. The flaw permits arbitrary code execution and carries a CVSS 3.1 base score of 9.8 reflecting network attack vector, low attack complexity, no required privileges or user interaction, and unchanged scope.

An unauthenticated attacker can send a malicious serialized payload over the network to trigger the vulnerability and obtain arbitrary code execution on the affected system, resulting in full compromise of confidentiality, integrity, and availability.

Adobe has published mitigation guidance in security advisory APSB25-67, available at https://helpx.adobe.com/security/products/aem-forms/apsb25-67.html. The EPSS score for this CVE currently stands at 0.7643 with a recorded peak of 0.7749.

EU & UK References

Vulnerability details

Adobe Experience Manager (MS) versions 6.5.23.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction. Scope is unchanged.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Remote unauthenticated deserialization RCE on public-facing AEM server directly enables T1190 (Exploit Public-Facing Application) for initial access and subsequent arbitrary code execution via T1059 (Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-64537Same product: Adobe Experience Manager
CVE-2025-64538Same product: Adobe Experience Manager
CVE-2024-53963Same product: Adobe Experience Manager
CVE-2025-64539Same product: Adobe Experience Manager
CVE-2024-53965Same product: Adobe Experience Manager
CVE-2025-61810Same vendor: Adobe
CVE-2025-27203Same vendor: Adobe
CVE-2026-34659Same vendor: Adobe
CVE-2026-27303Same vendor: Adobe
CVE-2026-29782Shared CWE-502

Affected Assets

adobe
experience manager
≤ 6.5.23.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely installation of vendor patches to remediate the specific deserialization of untrusted data flaw in Adobe Experience Manager.

prevent

Mandates validation of information inputs at deserialization points to block untrusted data from triggering arbitrary code execution.

prevent

Provides memory safeguards like non-executable regions to mitigate code execution from deserialization gadget chains.

References