A zero-day vulnerability in Adobe AEM Forms allows attackers to execute arbitrary code.

Adobe has issued an urgent security update for Adobe Experience Manager Forms on Java Enterprise Edition (JEE) to address two critical zero-day vulnerabilities, CVE-2025-54253 and CVE-2025-54254. These vulnerabilities could enable attackers to execute arbitrary code and gain unauthorized access to the file system. Both flaws have been assigned the highest priority rating by Adobe, with proof-of-concept exploits already available, significantly increasing the risk of exploitation. The more severe vulnerability, CVE-2025-54253, is a misconfiguration issue with a maximum CVSS base score of 10.0, allowing attackers to execute code without authentication. The second vulnerability, CVE-2025-54254, involves improper restrictions on XML External Entity Reference (XXE) attacks, with a CVSS score of 8.6, enabling arbitrary file system reads.

Organisations using affected versions of Adobe Experience Manager Forms on JEE, specifically versions 6.5.23.0 and earlier, are urged to update immediately to version 6.5.0-0108, which addresses both vulnerabilities. Adobe has classified this update as Priority 1, highlighting the urgent need for deployment. While the company has not confirmed any active exploitation of these vulnerabilities in the wild, the availability of proof-of-concept exploits raises the stakes for organisations. Detailed update instructions can be found on Adobe’s Experience League documentation platform. The discovery of these zero-day vulnerabilities underscores the critical importance of maintaining up-to-date security patches for enterprise content management systems.