- Adobe fixed two critical AEM flaws allowing code execution and file access without user interaction
- CISA added CVE-2025-54253 and CVE-2025-54254 to KEV, confirming active exploitation
- Agencies must update the patch by November 5; the private sector is urged to follow due to widespread risk
Adobe recently fixed two vulnerabilities in its Experience Manager product, including one of maximum severity that allows malicious actors to execute arbitrary code.
Although the company said it was “not aware” of exploits in the wild, it said it had seen proof-of-concept (PoC) exploits. Additionally, the US Cybersecurity and Infrastructure Security Agency (CISA) added it to the KEV (the Catalog of Known Exploited Vulnerabilities), meaning it is used in attacks.
Adobe Experience Manager (AEM) is Adobe’s content management system (CMS) used to create and manage websites, mobile apps, and digital experiences. It helps large organizations create, organize and deliver personalized content across different channels.
Added to CISA KEV
The two flaws in question are tracked under the names CVE-2025-54253 and CVE-2025-54254. The first is described as a “misconfiguration vulnerability” that can be exploited to bypass security mechanisms and has a severity score of 10/10 (critical).
The latter is an “Improper Restriction of XML External Entity Reference (“XXE)” vulnerability that results in arbitrary reading of the file system and allows attackers to access sensitive files – without any user interaction. It received a severity score of 8.6/10 (high).
Both bugs were found in Adobe Experience Manager versions 6.5.23 and earlier. The patch, released in August this year, brings the tool to version 6.5.0-0108.
On October 15, CISA added both vulnerabilities to its KEV catalog, confirming reports of abuse in the wild. When a bug is added to KEV, Federal Civilian Executive Branch (FCEB) agencies have three weeks to apply available patches and mitigations or stop using the vulnerable tools altogether.
In Adobe’s case, agencies have until November 5, 2025 to apply the fixes.
Although the CISA deadline only applies to FCEB agencies, other agencies and private sector companies are advised to follow suit, as cybercriminals rarely differentiate between the two and target anyone who is vulnerable.
Via Hacker news
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
