- Adobe fixed two critical AEM flaws that allow code execution and file access without user interaction
- CISA added CVE-2025-54253 and CVE-2025-54254 to KEV, confirming active exploitation
- Agencies must patch by November 5; The private sector is urged to follow suit due to the widespread risk.
Adobe recently fixed two flaws in its Experience Manager product, including a major flaw that allows malicious actors to execute arbitrary code.
While the company said it is “not aware” of existing exploits, it did say it saw proof-of-concept (PoC) exploits out there. Additionally, the US Cybersecurity and Infrastructure Security Agency (CISA) added it to KEV (the catalog of known exploited vulnerabilities), meaning it is being used in attacks.
Adobe Experience Manager (AEM) is Adobe’s enterprise-grade content management system (CMS) used to create and manage websites, mobile apps, and digital experiences. Helps large organizations create, organize and deliver personalized content across different channels.
Added to CISA KEV
The two flaws in question are tracked as CVE-2025-54253 and CVE-2025-54254. The first is described as a “misconfiguration vulnerability” that can be abused to bypass security mechanisms and has a severity score of 10/10 (critical).
The latter is an ‘inadequate restriction of XML External Entity (‘XXE) reference vulnerability’ that results in arbitrary file system reads and allows attackers to access sensitive files, without any user interaction. It was given a severity score of 8.6/10 (High).
Both bugs were found in Adobe Experience Manager versions 6.5.23 and earlier. The patch, released in August of this year, brings the tool to version 6.5.0-0108.
On October 15, CISA added both flaws to its KEV catalog, confirming reports of abuse in the wild. When a bug is added to KEV, Federal Civil Executive Branch (FCEB) agencies have three weeks to apply available fixes and mitigations or stop using the vulnerable tools altogether.
In the case of Adobe, agencies have until November 5, 2025 to apply the patches.
While the CISA deadline only applies to FCEB agencies, other agencies and private sector companies are encouraged to follow suit, as cybercriminals rarely differentiate between the two and will target anyone who is vulnerable.
Through Hacker News
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
