Adobe patches critical Adobe Experience Manager Forms vulnerabilities with public PoC

Adobe has released an emergency security update for Adobe Experience Manager Forms on Java Enterprise Edition (JEE), which fix two critical vulnerabilities (CVE-2025-54253, CVE-2025-54254) with a publicly available proof-of-concept (PoC) exploit.

Details about the flaws have been public for days, and attackers may soon try their hand at exploiting them.

Adobe Experience Manager Forms vulnerabilities PoC

About the vulnerabilities

Shubham Shah and Adam Kues, with Searchlight Cyber’s Research Team, found three critical vulnerabilities in Adobe Experience Manager Forms earlier this year and reported it to Adobe:

  • CVE-2025-49533, a untrusted data deserialization vulnerability affecting Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier that could lead to code execution without the need for any user interaction. A fix for it was released by Adobe a month ago
  • CVE-2025-54253 and CVE-2025-54254, an improper restriction of XML External Entity reference flaw and a misconfiguration issue, respectively, and they affect Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier.

    The former allows attackers to read arbitrary system files and the latter to bypass security mechanisms and execute code on the system. The fix for these has been released on Tuesday.

“Adobe Experience Manager Forms can be deployed in two different ways: either it is co-deployed with your standard AEM installation, or it is deployed standalone on a J2EE-compatible server. The vulnerabilities [we found] are primarily applicable to standalone deployments of AEM Forms via a J2EE-compatible server such as JBoss,” Shah and Kues explained.

While Adobe is not aware of these two vulnerabilities being exploited in the wild, it urges admins to install the update as soon as possible. (More details on how to do it are available here.)

If the security update can’t be implemented at this time, Searchlight Cyber researchers have advised organizations using AEM Forms in standalone mode to restrict access to the application to internal users/networks only.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

Don't miss