Experience Manager: Adobe doesn't patch for 90 days, now brings emergency update

Attackers can use two vulnerabilities in Adobe Experience Manager to attack systems. The vulnerabilities have been known since April of this year, but security patches are only now being released.

No role model

As security researchers from Searchlight Cyber state in a report, they informed Adobe about three vulnerabilities (CVE-2025-49533 “critical,” CVE-2025-54254 “high,” CVE-2025-54253 “critical”) in April 2025. The latter vulnerability is classified with the highest possible CVSS score of 10 out of 10. If attacks are successful, attackers can completely compromise systems by executing malicious code.

According to the researchers, communication has been extremely slow, and Adobe has sometimes mentioned patches for completely different vulnerabilities in responses. On Patchday in July, Adobe then closed at least one gap (CVE-202549533). The researchers also provide technical details on the vulnerabilities in their report.

Further development

After further failed attempts to communicate the whereabouts of the remaining security updates, the security researchers decided to publish details of the two unpatched vulnerabilities in accordance with the 90-day responsible disclosure procedure. Among other things, they discovered that DevMode was active by default in the Apache Struts component. Attackers could abuse this to execute malicious code remotely.

Adobe has now released the emergency update Experience Manager Forms on JEE 6.5.0-0108 to close the two remaining vulnerabilities. Even if, according to Adobe, there are no attacks yet, admins should secure their PCs quickly. After all, according to the software manufacturer, proof-of-concept code is in circulation, which could lead to attacks in the near future.

(des)