- Adobe has fixed two critical AEM bugs that allow code execution and file access without user interaction
- CISA added CVE-2025-54253 and CVE-2025-54254 to KEV, confirming active exploitation
- Agencies must patch by Nov. 5; private sector is encouraged to follow due to widespread risk
Adobe recently fixed two bugs in their Experience Manager product, including a maximum severity one that allows malicious actors to execute arbitrary code.
While the company said it is “not aware” of in-the-wild exploits, it said it saw proof-of-concept (PoC) exploits out there. Also, the US Cybersecurity and Infrastructure Security Agency (CISA) added it to the KEV (Known Exploited Vulnerabilities Catalog), which means it is being used in attacks.
Adobe Experience Manager (AEM) is Adobe’s enterprise-grade content management system (CMS) used to build and manage websites, mobile apps, and digital experiences. It helps large organizations create, organize and deliver personalized content across different channels.
Added to CISA’s KEV
The two bugs in question are tracked as CVE-2025-54253 and CVE-2025-54254. The former is described as a “misconfiguration vulnerability” that can be exploited to bypass security mechanisms and has a severity score of 10/10 (critical).
The latter is an “improper limitation of XML External Entity Reference (‘XXE)’ vulnerability that results in arbitrary file system read and allows attackers to access sensitive files – without user interaction. It received a severity score of 8.6/10 (high).
Both bugs were found in Adobe Experience Manager version 6.5.23 and earlier. The patch released in August this year brings the tool to version 6.5.0-0108.
On October 15, CISA added both bugs to its KEV catalog, confirming reports of abuse in the wild. When a bug is added to KEV, Federal Civilian Executive Branch (FCEB) agencies have a three-week window to apply available fixes and limitations or stop using the vulnerable tools altogether.
In Adobe’s case, agencies have until November 5, 2025 to apply the fixes.
While CISA’s deadline only applies to FCEB agencies, other agencies and private sector companies are advised to follow suit, as cybercriminals rarely distinguish between the two and will target those who are vulnerable.
Via Hacker News
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
