Adobe launched emergency updates for 2 zero-day flaws in Adobe Expertise Supervisor (AEM) Varieties on JEE after a PoC exploit chain was disclosed that can be utilized for unauthenticated, distant code execution on weak cases.
The failings are tracked as CVE-2025-54253 and CVE-2025-54254:
- CVE-2025-54253: Misconfiguration permitting arbitrary code execution. Rated “Essential” with a CVSS rating of 8.6.
- CVE-2025-54254: Improper Restriction of XML Exterior Entity Reference (XXE) permitting arbitrary file system learn. Rated “Essential” with a maximum-severity 10.0 CVSS rating.
Adobe has mounted the issues within the newest variations as described on this advisory.
The vulnerabilities had been found by Shubham Shah and Adam Kues of Searchlight Cyber, who disclosed them to Adobe on April 28, 2025, together with a 3rd problem, CVE-2025-49533.
Adobe initially patched CVE-2025-49533 on August 5, leaving the opposite two flaws unfixed for over 90 days.
After warning Adobe of their disclosure timeline, the researchers printed a technical write-up on July 29 detailing how the vulnerabilities work and the way they are often exploited.
In keeping with the researchers, CVE-2025-49533 is a Java deserialization flaw within the FormServer module that enables unauthenticated distant code execution (RCE). A servlet processes user-supplied knowledge by decoding and deserializing it with out validation, letting attackers ship malicious payloads to execute instructions on the server.
The XXE vulnerability, tracked as CVE-2025-54254, impacts an internet service that handles SOAP authentication. By submitting a specifically crafted XML payload, attackers can trick the service into exposing native recordsdata, similar to win.ini, with out authentication.
Lastly, the CVE-2025-54253 flaw is attributable to an authentication bypass in /adminui module together with a misconfigured developer setting.
The researchers discovered that Struts2’s growth mode was left enabled by mistake, permitting attackers to execute OGNL expressions by debug parameters despatched in HTTP requests.
As the issues permit distant code execution on weak servers, all admins are suggested to put in the most recent updates and hotfixes as quickly as potential.
If that isn’t potential, the researchers strongly suggest proscribing entry to the platform from the web.
Malware focusing on password shops surged 3X as attackers executed stealthy Good Heist situations, infiltrating and exploiting crucial methods.
Uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the best way to defend towards them.
