- Adobe patched two crucial AEM flaws enabling code execution and file entry with out consumer interplay
- CISA added CVE-2025-54253 and CVE-2025-54254 to KEV, confirming lively exploitation
- Agencies should patch by November 5; personal sector urged to observe resulting from widespread threat
Adobe just lately patched two flaws in its Experience Manager product, together with a maximum-severity one that enables malicious actors to execute arbitrary code.
While the corporate mentioned it’s “not aware” of in-the-wild exploits, it did say that it noticed proof-of-concept (PoC) exploits on the market. Also, US Cybersecurity and Infrastructure Security Agency (CISA) added it to KEV (the recognized exploited vulnerability catalog), that means it’s being utilized in assaults.
Adobe Experience Manager (AEM) is Adobe’s enterprise-level content material administration system (CMS) used for constructing and managing web sites, cellular apps, and digital experiences. It helps massive organizations create, set up, and ship customized content material throughout totally different channels.
Added to CISA’s KEV
The two flaws in query are tracked as CVE-2025-54253 and CVE-2025-54254. The former is described as a “misconfiguration vulnerability” that may be abused to bypass safety mechanisms and has a severity rating of 10/10 (crucial).
The latter is an “improper restriction of XML External Entity Reference (‘XXE)’ vulnerability that leads to arbitrary file system learn and permits attackers to entry delicate recordsdata – with none consumer interplay. It was given a severity rating of 8.6/10 (excessive).
Both bugs had been present in Adobe Experience Manager variations 6.5.23 and earlier. The patch, launched in August this yr, brings the software to model 6.5.0-0108.
On October 15, CISA added each flaws to its KEV catalog, confirming studies of abuse within the wild. When a bug is added to KEV, Federal Civilian Executive Branch (FCEB) companies have a three-week deadline to use out there fixes and mitigations or cease utilizing the susceptible instruments altogether.
In Adobe’s case, companies have till November 5, 2025, to use the patches.
While CISA’s deadline solely applies to FCEB companies, different companies and companies within the personal sector are suggested to observe swimsuit, since cybercriminals hardly ever differentiate between the 2 and can goal whoever is susceptible.
Via The Hacker News
You may also like
- Adobe patches ‘most extreme’ flaw in Magento eCommerce platform
- Take a have a look at our information to the most effective authenticator app
- We’ve rounded up the most effective password managers
