XML Injection Vulnerability in Adobe Experience Manager
CVE-2025-54251
What is CVE-2025-54251?
CVE-2025-54251 is a significant security vulnerability affecting Adobe Experience Manager (AEM), a comprehensive content management solution for building websites, mobile apps, and forms. This vulnerability, identified in versions 6.5.23.0 and earlier, is categorized as an XML Injection issue that enables attackers, particularly those with low privileges, to manipulate XML queries. The potential for a security feature bypass poses a serious risk as it could grant unauthorized write access to certain areas of the application. This security flaw could disrupt the integrity of data and functionality within organizations that rely on Adobe Experience Manager for their digital asset management and online content delivery.
Potential Impact of CVE-2025-54251
-
Unauthorized Data Manipulation: Attackers may exploit this vulnerability to gain limited write access, allowing them to alter existing data or introduce malicious content, potentially leading to misinformation or unauthorized changes within the application.
-
Compromised Application Integrity: With the ability to bypass security features, an attacker could manipulate the system in a way that undermines trust in the application’s integrity and reliability, affecting business operations and client relationships.
-
Increased Attack Surface: The existence of this vulnerability may serve as a foothold for broader attacks within the organization’s network, as attackers could leverage the compromised AEM instance to pivot to other systems or applications, increasing the overall risk profile for the organization.
Affected Version(s)
Adobe Experience Manager 0 <= 6.5.23.0
References
EPSS Score
9% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved