U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Adobe Experience Manager Forms flaw to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Adobe Experience Manager Forms flaw, tracked as CVE-2025-54253 (CVSS score 10.0), to its Known Exploited Vulnerabilities (KEV) catalog.
Adobe Experience Manager (AEM) Forms is a component of Adobe Experience Manager, designed to help organizations create, manage, and automate digital forms and document-based processes. It’s commonly used in industries like banking, insurance, government, and healthcare, where collecting and processing customer data securely and efficiently is critical.
The vulnerability is a misconfiguration issue that could result in arbitrary code execution, it impacts Adobe Experience Manager versions 6.5.23 and earlier. An attacker could leverage the vulnerability to bypass security mechanisms and execute code. Experts warn that the exploitation of this issue does not require user interaction and scope is changed, for this reason, the flaw is rated with a maximum severity score, CVSS score of 10.0.
Adobe addressed the vulnerability in August 2025
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by November 5, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
