In cybersecurity, there is no truce — and this time it’s Adobe’s turn. The company has just released emergency patches for two critical vulnerabilities in Adobe Experience Manager (AEM) Forms on JEE, after public exploits were disclosed that allow remote code execution (RCE) on vulnerable servers without authentication.
At TecnetOne, we want to explain what happened, why these flaws are so severe, and most importantly, what you should do to protect your systems immediately.
The Critical Flaws Detected
The vulnerabilities have been identified as CVE-2025-54253 and CVE-2025-54254, both with very high risk levels:
- CVE-2025-54253: A misconfiguration error enabling arbitrary code execution. Rated Critical with a CVSS score of 8.6.
- CVE-2025-54254: An XXE (XML External Entity) flaw that allows system file disclosure without authentication. Rated Maximum Severity with a CVSS score of 10.0.
Adobe has already published a security update addressing these flaws. If you manage servers running AEM Forms, you must install these updates right away.
Learn more: Patch Management Lifecycle: What It Is and How to Apply It
How the Vulnerabilities Were Discovered
Researchers Shubham Shah and Adam Kues from Searchlight Cyber reported these flaws to Adobe on April 28, 2025. In the same report, they disclosed a third vulnerability, CVE-2025-49533, which was patched on August 5.
However, the two most severe flaws (54253 and 54254) remained unpatched for over 90 days, giving attackers time to prepare exploits while systems were still exposed.
On July 29, the researchers published a technical report detailing how the vulnerabilities work and how they could be exploited — which accelerated Adobe’s emergency patch release.
Technical Details of the Flaws
To understand the severity, here’s how each vulnerability works:
- CVE-2025-49533 – Insecure Deserialization in FormServer
(Now patched) This allowed unauthenticated RCE through a servlet that processed user-supplied data, decoding and deserializing it without validation.
Practically, an attacker could send a malicious payload and execute commands directly on the server.
- CVE-2025-54254 – XXE in SOAP Service
This flaw affected a SOAP-based authentication web service. With a crafted XML, an attacker could trick the system into displaying local server files (like win.ini in Windows) without authentication. Beyond exposing sensitive files, it could serve as a gateway for more complex attacks.
- CVE-2025-54253 – Development Mode Enabled by Mistake
Due to a misconfiguration, Struts2 development mode was left active in the /adminui module. This allowed attackers to execute OGNL expressions by sending crafted debugging parameters in HTTP requests.
In simple terms: a manipulated request was enough for arbitrary code execution.
Also of interest: Adobe Fixes 254 Critical Bugs in Its Main Products
The Real Risk to Your Organization
If you use Adobe Experience Manager Forms on JEE, these flaws represent a critical risk because they:
- Require no authentication — any remote attacker could exploit them.
- Allow code execution — granting full control of the compromised server.
- Expose confidential data — from system files to sensitive organizational data.
- Can be chained together — amplifying the attack’s impact.
A successful attack could result in:
- Theft of private or financial information
- Complete disruption of online services
- Use of your compromised server to launch further attacks
- Reputational damage and possible regulatory penalties
What to Do Now: Urgent Actions
At TecnetOne, we recommend taking immediate steps:
Install Adobe Updates
Review Adobe’s latest security bulletin and apply all updates and hotfixes without delay.
Verify Server Configurations
Disable any development modes or debugging configurations that may expose parameters.
Strengthen Security Monitoring
Implement tools that detect anomalous behavior in real time to catch exploitation attempts early.
Restrict Access to Exposed Services
Avoid exposing services like the /adminui module to the internet unless absolutely necessary.
Train Your IT Team
Ensure administrators understand these vulnerabilities and are prepared to respond quickly.
Plan Penetration Testing
Regular security assessments help detect vulnerabilities before attackers do.
The Value of Prevention in Cybersecurity
This incident highlights a critical lesson: waiting is never an option.
Although these flaws were reported in April, the patch delay left hundreds of organizations exposed.
The only way to minimize risk is with a proactive approach:
- Apply patches as soon as they are available.
- Ensure proper configuration of every environment.
- Rely on advanced cybersecurity solutions to detect exploitation attempts before it’s too late.
Conclusion: Don’t Put Off Your Security
The vulnerabilities discovered in Adobe AEM Forms are a stark reminder of how fragile complex systems can be. If you use this platform, you must act now.
At TecnetOne, we can help you deploy patches, harden configurations, and roll out next-generation security solutions to protect your business from zero-day exploits and remote code execution attacks.
Remember: every day without securing your infrastructure is an opportunity for attackers. Prevention not only avoids financial loss — it also safeguards your customers’ trust and your company’s reputation.