Adobe Experience Manager: Older vulnerability targeted by attackers
US agency CISA reports active attacks on a critical AEM vulnerability that was already closed in August. Those who missed the update should catch up immediately.
(Image: r.classen/Shutterstock.com)
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a long-known security vulnerability in Adobe's Content Management Platform Experience Manager (AEM) to its Known Exploited Vulnerabilities Catalog.
The CISA team observed that the relevant vulnerability CVE-2025-54253 with the maximum CVSS score of 10.0 (critical) is being targeted by attacks, according to a security advisory from the agency.
Further details, such as specific attacker groups, targets, or the scope of the attacks, are not provided in the advisory. However, it is known that attackers could fully compromise systems by executing arbitrary malicious code (arbitrary code execution, arbitrary file system read).
Action required only if August update was missed
Adobe already closed the security vulnerability at the beginning of August this year as part of the emergency update Experience Manager Forms on JEE 6.5.0-0108. Vulnerable are or were versions up to and including 6.5.23.0.
Admins who installed the update at that time do not need to take any action, as the affected AEM installations are secured against exploits. All others can find more details and update instructions in the corresponding Adobe Security Bulletin APSB25-82.
The August emergency update was preceded by a protracted communication between vulnerability discoverers and Adobe until the vulnerability, known since April, was finally patched. At that time, according to the software manufacturer, exploit code was already in circulation. Also concerning: The security bulletin has not yet been updated regarding active exploits.
(ovw)
