Adobe launched emergency updates for 2 zero-day flaws in Adobe Expertise Supervisor (AEM) Varieties on JEE after a PoC exploit chain was disclosed that can be utilized for unauthenticated, distant code execution on weak situations.
The issues are tracked as CVE-2025-54253 and CVE-2025-54254:
- CVE-2025-54253: Misconfiguration permitting arbitrary code execution. Rated “Crucial” with a CVSS rating of 8.6.
- CVE-2025-54254: Improper Restriction of XML Exterior Entity Reference (XXE) permitting arbitrary file system learn. Rated “Crucial” with a maximum-severity 10.0 CVSS rating.
Adobe has mounted the issues within the newest variations as described on this advisory.
The vulnerabilities have been found by Shubham Shah and Adam Kues of Searchlight Cyber, who disclosed them to Adobe on April 28, 2025, together with a 3rd difficulty, CVE-2025-49533.
Adobe initially patched CVE-2025-49533 on August 5, leaving the opposite two flaws unfixed for over 90 days.
After warning Adobe of their disclosure timeline, the researchers revealed a technical write-up on July 29 detailing how the vulnerabilities work and the way they are often exploited.
In keeping with the researchers, CVE-2025-49533 is a Java deserialization flaw within the FormServer module that enables unauthenticated distant code execution (RCE). A servlet processes user-supplied information by decoding and deserializing it with out validation, letting attackers ship malicious payloads to execute instructions on the server.
The XXE vulnerability, tracked as CVE-2025-54254, impacts an online service that handles SOAP authentication. By submitting a specifically crafted XML payload, attackers can trick the service into exposing native information, equivalent to win.ini, with out authentication.
Lastly, the CVE-2025-54253 flaw is brought on by an authentication bypass in /adminui module together with a misconfigured developer setting.
The researchers discovered that Struts2’s improvement mode was left enabled by mistake, permitting attackers to execute OGNL expressions by means of debug parameters despatched in HTTP requests.
As the issues enable distant code execution on weak servers, all admins are suggested to put in the newest updates and hotfixes as quickly as attainable.
If that’s not attainable, the researchers strongly advocate limiting entry to the platform from the web.
Malware concentrating on password shops surged 3X as attackers executed stealthy Good Heist situations, infiltrating and exploiting essential methods.
Uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the right way to defend towards them.
