Adobe Issues Emergency Patches for Critical AEM Forms Flaws

In cybersecurity, there is no truce — and this time it’s  Adobe’s turn. The company has just released emergency patches for two critical vulnerabilities in Adobe Experience Manager (AEM) Forms on JEE, after public exploits were disclosed that allow remote code execution (RCE) on vulnerable servers without authentication.

At TecnetOne, we want to explain what happened, why these flaws are so severe, and most importantly, what you should do to protect your systems immediately.

The Critical Flaws Detected

The vulnerabilities have been identified as CVE-2025-54253 and CVE-2025-54254, both with very high risk levels:

1. CVE-2025-54253: A misconfiguration error enabling arbitrary code execution. Rated Critical with a CVSS score of 8.6.

1. CVE-2025-54254: An XXE (XML External Entity) flaw that allows system file disclosure without authentication. Rated Maximum Severity with a CVSS score of 10.0.

Adobe has already published a security update addressing these flaws. If you manage servers running AEM Forms, you must install these updates right away.

Learn more: Patch Management Lifecycle: What It Is and How to Apply It

How the Vulnerabilities Were Discovered

Researchers Shubham Shah and Adam Kues from Searchlight Cyber reported these flaws to Adobe on April 28, 2025. In the same report, they disclosed a third vulnerability, CVE-2025-49533, which was patched on August 5.

However, the two most severe flaws (54253 and 54254) remained unpatched for over 90 days, giving attackers time to prepare exploits while systems were still exposed.

On July 29, the researchers published a technical report detailing how the vulnerabilities work and how they could be exploited — which accelerated Adobe’s emergency patch release.

Technical Details of the Flaws

To understand the severity, here’s how each vulnerability works:

1. CVE-2025-49533 – Insecure Deserialization in FormServer
   (Now patched) This allowed unauthenticated RCE through a servlet that processed user-supplied data, decoding and deserializing it without validation.
   Practically, an attacker could send a malicious payload and execute commands directly on the server.

1. CVE-2025-54254 – XXE in SOAP Service
   This flaw affected a SOAP-based authentication web service. With a crafted XML, an attacker could trick the system into displaying local server files (like win.ini in Windows) without authentication. Beyond exposing sensitive files, it could serve as a gateway for more complex attacks.

1. CVE-2025-54253 – Development Mode Enabled by Mistake
   Due to a misconfiguration, Struts2 development mode was left active in the /adminui module. This allowed attackers to execute OGNL expressions by sending crafted debugging parameters in HTTP requests.

Also of interest: Adobe Fixes 254 Critical Bugs in Its Main Products

The Real Risk to Your Organization

If you use Adobe Experience Manager Forms on JEE, these flaws represent a critical risk because they:

1. Require no authentication — any remote attacker could exploit them.

1. Allow code execution — granting full control of the compromised server.

1. Expose confidential data — from system files to sensitive organizational data.

1. Can be chained together — amplifying the attack’s impact.

A successful attack could result in:

1. Theft of private or financial information

1. Complete disruption of online services

1. Use of your compromised server to launch further attacks

1. Reputational damage and possible regulatory penalties

What to Do Now: Urgent Actions

At TecnetOne, we recommend taking immediate steps:

Install Adobe Updates

Review Adobe’s latest security bulletin and apply all updates and hotfixes without delay.

Verify Server Configurations

Disable any development modes or debugging configurations that may expose parameters.

Strengthen Security Monitoring

Implement tools that detect anomalous behavior in real time to catch exploitation attempts early.

Restrict Access to Exposed Services

Avoid exposing services like the /adminui module to the internet unless absolutely necessary.

Train Your IT Team

Ensure administrators understand these vulnerabilities and are prepared to respond quickly.

Plan Penetration Testing

Regular security assessments help detect vulnerabilities before attackers do.

The Value of Prevention in Cybersecurity

This incident highlights a critical lesson: waiting is never an option.

Although these flaws were reported in April, the patch delay left hundreds of organizations exposed.

The only way to minimize risk is with a proactive approach:

1. Apply patches as soon as they are available.

1. Ensure proper configuration of every environment.

1. Rely on advanced cybersecurity solutions to detect exploitation attempts before it’s too late.

Conclusion: Don’t Put Off Your Security

The vulnerabilities discovered in Adobe AEM Forms are a stark reminder of how fragile complex systems can be. If you use this platform, you must act now.

At TecnetOne, we can help you deploy patches, harden configurations, and roll out next-generation security solutions to protect your business from zero-day exploits and remote code execution attacks.

Remember: every day without securing your infrastructure is an opportunity for attackers. Prevention not only avoids financial loss — it also safeguards your customers’ trust and your company’s reputation.