Cyber Resilience

CVE-2025-54253

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 05 August 2025

Published
05 August 2025
Modified
23 October 2025
KEV Added
15 October 2025
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.2419 96.2th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54253 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Adobe Experience Manager Forms. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-2 (Baseline Configuration) and CM-6 (Configuration Settings).

Deeper analysis

Adobe Experience Manager versions 6.5.23 and earlier contain a misconfiguration vulnerability, tracked as CVE-2025-54253 and assigned CWE-863, that permits arbitrary code execution. The flaw carries a CVSS 3.1 score of 10.0 with network attack vector, low complexity, no required privileges or user interaction, and changed scope, allowing an attacker to bypass security controls and run code on the affected system.

An unauthenticated remote attacker can exploit the issue directly over the network to achieve code execution without any user interaction. Successful exploitation grants the ability to bypass existing security mechanisms and obtain full control over the impacted Adobe Experience Manager instance.

Adobe has published an advisory detailing the affected versions and remediation steps at helpx.adobe.com, while independent research from Assetnote has linked the root cause to exposed Struts development-mode settings. The vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, confirming real-world exploitation. Its EPSS score rose materially from lower values at disclosure to a peak of 0.5874 on 2026-01-13 before receding to the current 0.2419, indicating increased attacker interest after public release.

EU & UK References

Vulnerability details

Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require…

more

user interaction and scope is changed.

CWE(s)
KEV Date Added
15 October 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2025-54253 is a misconfiguration vulnerability in Adobe Experience Manager Forms (Struts DevMode) enabling pre-authentication arbitrary code execution on public-facing web services, directly mapping to T1190: Exploit Public-Facing Application.

CVEs Like This One

CVE-2025-54254Same product: Adobe Experience Manager Forms
CVE-2026-34645Same vendor: Adobe
CVE-2026-21309Same vendor: Adobe
CVE-2026-21289Same vendor: Adobe
CVE-2026-34646Same vendor: Adobe
CVE-2025-24409Same vendor: Adobe
CVE-2026-34660Same vendor: Adobe
CVE-2025-54236Same vendor: Adobeboth on KEV
CVE-2025-24407Same vendor: Adobe
CVE-2025-24434Same vendor: Adobe

Affected Assets

adobe
experience manager forms
≤ 6.5.23.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the misconfiguration vulnerability in Adobe Experience Manager by requiring identification, reporting, and correction of flaws like CVE-2025-54253 through timely patching as advised in Adobe's bulletin.

prevent

Mitigates the CWE-863 misconfiguration enabling unauthorized bypass and arbitrary code execution by establishing and enforcing secure configuration settings for vulnerable AEM components.

prevent

Prevents exploitation of the version-specific misconfiguration in AEM 6.5.23 and earlier by developing and maintaining baseline configurations that exclude insecure settings like Struts devmode.

References