- Adobe patched two critical AEM flaws enabling code execution and file access without user interaction
- CISA added CVE-2025-54253 and CVE-2025-54254 to KEV, confirming active exploitation
- Agencies must patch by November 5; private sector urged to follow due to widespread risk
Adobe recently patched two flaws in its Experience Manager product, including a maximum-severity one that allows malicious actors to execute arbitrary code.
While the company said it is “not aware” of in-the-wild exploits, it did say that it saw proof-of-concept (PoC) exploits out there. Also, US Cybersecurity and Infrastructure Security Agency (CISA) added it to KEV (the known exploited vulnerability catalog), meaning it is being used in attacks.
Adobe Experience Manager (AEM) is Adobe’s enterprise-level content management system (CMS) used for building and managing websites, mobile apps, and digital experiences. It helps large organizations create, organize, and deliver personalized content across different channels.
Added to CISA’s KEV
The two flaws in question are tracked as CVE-2025-54253 and CVE-2025-54254. The former is described as a “misconfiguration vulnerability” that can be abused to bypass security mechanisms and has a severity score of 10/10 (critical).
The latter is an “improper restriction of XML External Entity Reference (‘XXE)’ vulnerability that results in arbitrary file system read and allows attackers to access sensitive files – without any user interaction. It was given a severity score of 8.6/10 (high).
Both bugs were found in Adobe Experience Manager versions 6.5.23 and earlier. The patch, released in August this year, brings the tool to version 6.5.0-0108.
On October 15, CISA added both flaws to its KEV catalog, confirming reports of abuse in the wild. When a bug is added to KEV, Federal Civilian Executive Branch (FCEB) agencies have a three-week deadline to apply available fixes and mitigations or stop using the vulnerable tools altogether.
In Adobe’s case, agencies have until November 5, 2025, to apply the patches.
While CISA’s deadline only applies to FCEB agencies, other agencies and businesses in the private sector are advised to follow suit, since cybercriminals rarely differentiate between the two and will target whoever is vulnerable.
Via The Hacker News
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
