Bulletin ID
Last updated on
Aug 5, 2025
Security updates available for Adobe Experience Manager Forms | APSB25-82
|
|
Date Published |
Priority |
|---|---|---|
|
APSB25-82 |
August 5, 2025 |
1 |
Summary
Adobe has released a security update for Adobe Experience Manager Forms on Java Enterprise Edition (JEE). This update addresses critical vulnerabilities that could lead to arbitrary code execution and arbitrary file system read.
Adobe is aware that CVE-2025-54253 and CVE-2025-54254 have a publicly available proof-of-concept. Adobe is not aware of these issues being exploited in the wild.
Affected Product Versions
| Product | Version | Platform |
|---|---|---|
| Adobe Experience Manager (AEM) Forms on JEE |
6.5.23.0 and earlier | All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Product |
Version |
Platform |
Priority |
Availability |
|---|---|---|---|---|
| Adobe Experience Manager (AEM) Forms on JEE | 6.5.0-0108 | All |
1 |
Update Instructions |
Note
Please contact Adobe customer care for assistance with AEM versions 6.4, 6.3 and 6.2.
Vulnerability Details
|
Vulnerability Category |
Vulnerability Impact |
Severity |
CVSS base score |
CVE Number |
|
|---|---|---|---|---|---|
|
Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) |
Arbitrary file system read |
Critical |
8.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
CVE-2025-54254 |
|
Misconfiguration (CWE-16) |
Arbitrary code execution |
Critical |
10.0 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
CVE-2025-54253 |
Acknowledgments
Acknowledgments
Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:
- Shubham Shah and Adam Kues (Assetnote) -- CVE-2025-54253, CVE-2025-54254
NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.
