Full Report
Adobe released emergency updates for two zero-day flaws in Adobe Experience Manager (AEM) Forms on JEE after a PoC exploit chain was disclosed that can be used for unauthenticated, remote code execution on vulnerable instances. [...]
Analysis Summary
# Vulnerability: Adobe AEM Forms Zero-Days (RCE, XXE, Auth Bypass)
## CVE Details
- CVE ID: CVE-2025-49533 (Patched Aug 5), CVE-2025-54254, CVE-2025-54253
- CVSS Score: (Severity scores not explicitly provided, but RCE implies Critical)
- CWE: Java Deserialization (CWE likely related to this for CVE-2025-49533), XXE (CVE-2025-54254), Authentication Bypass (CVE-2025-54253)
## Affected Systems
- Products: Adobe Experience Manager (AEM) Forms
- Versions: Specific vulnerable versions are not listed, but the context implies versions prior to the emergency fixes released after July 29, 2025.
- Configurations: Related to developer settings being left enabled (Struts2 DevMode for CVE-2025-54253).
## Vulnerability Description
The summary details three critical vulnerabilities affecting Adobe AEM Forms:
1. **CVE-2025-49533 (Java Deserialization RCE):** A flaw in the FormServer module allows unauthenticated Remote Code Execution (RCE). This occurs because user-supplied data is decoded and deserialized without proper validation, enabling attackers to send malicious payloads to execute arbitrary commands on the server.
2. **CVE-2025-54254 (XXE):** An External XML Entity (XXE) vulnerability in a web service handling SOAP authentication. Attackers can submit a specially crafted XML payload to force the service to disclose local files (e.g., `win.ini`) without authentication.
3. **CVE-2025-54253 (Authentication Bypass/OGNL Execution):** This flaw results from an authentication bypass in the `/adminui` module combined with misconfigured developer settings, specifically Struts2's development mode being left enabled. This allows arbitrary OGNL expressions to be executed via debug parameters in HTTP requests.
## Exploitation
- Status: **PoC available** (Researchers published a technical write-up detailing exploitation methods on July 29th).
- Complexity: Likely **Low** for RCE and XXE due to lack of authentication requirements for exploitation paths.
- Attack Vector: **Network** (Remote exploitation possible).
## Impact
- Confidentiality: High (Due to XXE file disclosure and potential information disclosure from RCE).
- Integrity: Critical (Due to Remote Code Execution allowing system modification).
- Availability: Critical (Due to Remote Code Execution).
## Remediation
### Patches
- Emergency fixes have been issued by Adobe that address CVE-2025-49533, CVE-2025-54254, and CVE-2025-54253. **Administrators are advised to install the latest updates and hotfixes immediately.**
### Workarounds
- Strongly recommended workaround: **Restrict external internet access to the AEM Forms platform.**
## Detection
- Indicators of Compromise: Look for unexpected process execution, unusual outbound network connections originating from the AEM Forms server, or suspicious deserialization activity within the FormServer module logs.
- Detection methods and tools: Monitor HTTP traffic for unusually constructed XML payloads targeting SOAP services, or requests containing OGNL expressions in debugger/debug parameters targeting the `/adminui` path.
## References
- Vendor advisories: Adobe emergency fixes (implied by the urgency of the patch release following public disclosure).
- Relevant links - defanged:
- bleepingcomputer com/news/security/adobe-issues-emergency-fixes-for-aem-forms-zero-days-after-pocs-released/
- slcyber io/assetnote-security-research-center/struts-devmode-in-2025-critical-pre-auth-vulnerabilities-in-adobe-experience-manager-forms/