CVE-2025-49533
Published: 08 July 2025
Summary
CVE-2025-49533 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Adobe Experience Manager. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely installation of vendor patches to remediate the specific deserialization of untrusted data flaw in Adobe Experience Manager.
Mandates validation of information inputs at deserialization points to block untrusted data from triggering arbitrary code execution.
Provides memory safeguards like non-executable regions to mitigate code execution from deserialization gadget chains.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated deserialization RCE on public-facing AEM server directly enables T1190 (Exploit Public-Facing Application) for initial access and subsequent arbitrary code execution via T1059 (Command and Scripting Interpreter).
NVD Description
Adobe Experience Manager (MS) versions 6.5.23.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction. Scope is unchanged.
Deeper analysisAI
CVE-2025-49533 is a Deserialization of Untrusted Data vulnerability (CWE-502) affecting Adobe Experience Manager (MS) versions 6.5.23.0 and earlier. Published on 2025-07-08, this flaw could lead to arbitrary code execution by an attacker, with exploitation not requiring user interaction. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites, while maintaining unchanged scope.
An unauthenticated attacker can exploit this vulnerability remotely over the network without privileges or user interaction, potentially achieving arbitrary code execution on the targeted system. Successful exploitation grants high impacts across confidentiality, integrity, and availability, allowing full compromise of the affected Adobe Experience Manager instance.
Adobe's security bulletin APSB25-67, available at https://helpx.adobe.com/security/products/aem-forms/apsb25-67.html, provides details on mitigation strategies and available patches for addressing this vulnerability.
Details
- CWE(s)