- Adobe has patched two critical AEM vulnerabilities, allowing code execution and file access without user interaction.
- CISA added CVE-2025-54253 and CVE-2025-54254 to KEV, confirming active exploitation.
- Agencies must install the patch by November 5; the private sector is strongly encouraged to follow suit due to the widespread risk
Adobe recently patched two vulnerabilities in its Experience Manager product, including a maximum severity vulnerability that could allow attackers execute arbitrary code.
While the company said it was “not aware” of existing exploits, it said it had seen proof-of-concept (PoC) exploits. Additionally, the US Cybersecurity and Infrastructure Security Agency (CISA) has added it to KEV (a known catalog of exploitable vulnerabilities), which means it is being used in attacks.
Adobe Experience Manager (AEM) is Adobe's enterprise-grade content management system (CMS) used to create and manage websites, mobile apps, and digital experiences. It helps large organizations create, organize, and deliver personalized content across multiple channels.
Added to KEV CISA.
The two vulnerabilities in question are tracked as CVE-2025-54253 and CVE-2025-54254. The first is described as a “misconfiguration vulnerability” that can be abused to bypass security mechanisms, and has a severity rating of 10/10 (critical).
The latter is an “improperly constrained XML External Object Reference ('XXE)” vulnerability that leads to arbitrary file system reads and allows attackers to access sensitive files – without any user interaction. It has a severity rating of 8.6/10 (high).
Both errors were found in Adobe Experience Manager version 6.5.23 and earlier. A patch released in August this year brings the tool to version 6.5.0-0108.
On October 15, CISA added both vulnerabilities to its KEV catalog, confirming reports of abuse in the real world. When a bug is added to a KEV, Federal Civil Enforcement Branch (FCEB) agencies have a three-week window to apply available fixes and mitigations or stop using the affected tools altogether.
In Adobe's case, agencies must apply the fixes by November 5, 2025.
While CISA deadlines only apply to FCEB agencies, other agencies and private sector businesses are encouraged to follow suit as cybercriminals rarely differentiate between the two and target those who are vulnerable.
By using Hacker news
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
-cropped.jpg?width=1200&height=630&fit=crop&enable=upscale&auto=webp&w=150&resize=150,150&ssl=1 "If Star Wars Eclipse was Quantic Dream’s safe bet, Spellcasters Chronicles is the wild card")
