Cyber Resilience

CVE-2025-54254

High

Published: 05 August 2025

Published
05 August 2025
Modified
02 October 2025
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0098 77.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54254 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Adobe Experience Manager Forms. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-54254 is an Improper Restriction of XML External Entity Reference (XXE) vulnerability, classified as CWE-611, affecting Adobe Experience Manager versions 6.5.23 and earlier. This issue enables arbitrary file system reads, allowing attackers to access sensitive files on the local file system.

With a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), the vulnerability is exploitable remotely over the network with low complexity, requiring no privileges or user interaction, and features a changed scope that results in high confidentiality impact. Unauthenticated attackers can leverage this to read sensitive local files without any user involvement.

Adobe's security bulletin APSB25-82, published at https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html, details mitigation steps and available patches for affected versions.

EU & UK References

Vulnerability details

Adobe Experience Manager versions 6.5.23 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the…

more

local file system, scope is changed. Exploitation of this issue does not require user interaction.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

XXE in public-facing AEM directly enables remote unauthenticated exploitation (T1190) and arbitrary local file reads (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-54253Same product: Adobe Experience Manager Forms
CVE-2025-49535Same vendor: Adobe
CVE-2025-61813Same vendor: Adobe
CVE-2025-61821Same vendor: Adobe
CVE-2026-27305Same vendor: Adobe
CVE-2025-54261Same vendor: Adobe
CVE-2026-41066Shared CWE-611
CVE-2025-0162Shared CWE-611
CVE-2026-27304Same vendor: Adobe
CVE-2024-56324Shared CWE-611

Affected Assets

adobe
experience manager forms
≤ 6.5.23.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the XXE vulnerability by identifying, reporting, and applying vendor patches as specified in Adobe's APSB25-82 bulletin.

prevent

Implements input validation at XML processing points to restrict external entity references, preventing arbitrary file system reads.

prevent

Establishes and enforces secure configuration settings for XML parsers in Adobe Experience Manager to disable external entity processing.

References