CVE-2025-54253
Published: 05 August 2025
Summary
CVE-2025-54253 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Adobe Experience Manager Forms. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-2 (Baseline Configuration) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the misconfiguration vulnerability in Adobe Experience Manager by requiring identification, reporting, and correction of flaws like CVE-2025-54253 through timely patching as advised in Adobe's bulletin.
Mitigates the CWE-863 misconfiguration enabling unauthorized bypass and arbitrary code execution by establishing and enforcing secure configuration settings for vulnerable AEM components.
Prevents exploitation of the version-specific misconfiguration in AEM 6.5.23 and earlier by developing and maintaining baseline configurations that exclude insecure settings like Struts devmode.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-54253 is a misconfiguration vulnerability in Adobe Experience Manager Forms (Struts DevMode) enabling pre-authentication arbitrary code execution on public-facing web services, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require…
more
user interaction and scope is changed.
Deeper analysisAI
Adobe Experience Manager versions 6.5.23 and earlier are affected by CVE-2025-54253, a misconfiguration vulnerability classified under CWE-863. This flaw enables attackers to bypass security mechanisms, resulting in arbitrary code execution. The vulnerability carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating it is exploitable remotely with low complexity, no privileges or user interaction required, and a changed scope with high impacts across confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this vulnerability over the network without user interaction to achieve arbitrary code execution on the targeted system. The changed scope (S:C) suggests potential impacts beyond the vulnerable component, amplifying the risk in affected environments.
Adobe's security bulletin APSB25-82 provides details on mitigation and patches at https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html. Additional analysis from Assetnote's research on Struts devmode vulnerabilities in Adobe Experience Manager Forms is available at https://slcyber.io/assetnote-security-research-center/struts-devmode-in-2025-critical-pre-auth-vulnerabilities-in-adobe-experience-manager-forms/. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54253, indicating active exploitation in the wild.
Details
- CWE(s)
- KEV Date Added
- 15 October 2025