CVE-2025-54253
Published: 05 August 2025
Summary
CVE-2025-54253 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Adobe Experience Manager Forms. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-2 (Baseline Configuration) and CM-6 (Configuration Settings).
Deeper analysis
Adobe Experience Manager versions 6.5.23 and earlier contain a misconfiguration vulnerability, tracked as CVE-2025-54253 and assigned CWE-863, that permits arbitrary code execution. The flaw carries a CVSS 3.1 score of 10.0 with network attack vector, low complexity, no required privileges or user interaction, and changed scope, allowing an attacker to bypass security controls and run code on the affected system.
An unauthenticated remote attacker can exploit the issue directly over the network to achieve code execution without any user interaction. Successful exploitation grants the ability to bypass existing security mechanisms and obtain full control over the impacted Adobe Experience Manager instance.
Adobe has published an advisory detailing the affected versions and remediation steps at helpx.adobe.com, while independent research from Assetnote has linked the root cause to exposed Struts development-mode settings. The vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, confirming real-world exploitation. Its EPSS score rose materially from lower values at disclosure to a peak of 0.5874 on 2026-01-13 before receding to the current 0.2419, indicating increased attacker interest after public release.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23647
Vulnerability details
Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require…
more
user interaction and scope is changed.
- CWE(s)
- KEV Date Added
- 15 October 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-54253 is a misconfiguration vulnerability in Adobe Experience Manager Forms (Struts DevMode) enabling pre-authentication arbitrary code execution on public-facing web services, directly mapping to T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the misconfiguration vulnerability in Adobe Experience Manager by requiring identification, reporting, and correction of flaws like CVE-2025-54253 through timely patching as advised in Adobe's bulletin.
Mitigates the CWE-863 misconfiguration enabling unauthorized bypass and arbitrary code execution by establishing and enforcing secure configuration settings for vulnerable AEM components.
Prevents exploitation of the version-specific misconfiguration in AEM 6.5.23 and earlier by developing and maintaining baseline configurations that exclude insecure settings like Struts devmode.