Improper XML External Entity Handling Vulnerability in Adobe Experience Manager
CVE-2025-54254
What is CVE-2025-54254?
Versions 6.5.23 and earlier of Adobe Experience Manager are vulnerable to an Improper Restriction of XML External Entity Reference (XXE), which allows attackers to exploit the system to read arbitrary files from the local filesystem. This security flaw does not require any user interaction, making it particularly dangerous. By leveraging this vulnerability, an attacker can gain access to sensitive information stored on the server, leading to potential data breaches and significant privacy concerns.
Affected Version(s)
Adobe Experience Manager 0 <= 6.5.23
News Articles
Red Hot CyberAdobe Experience Manager Forms under attack! Urgent patch for a score 10 RCE zero-day bug.
Learn about the zero-day vulnerability in Adobe AEM Forms and how to protect yourself with the available critical update.
1 week ago
Cyber PressAdobe AEM Forms 0-Day Vulnerability Allows Arbitrary Code Execution
The company released APSB25-82 on August 5, 2025, categorizing these updates as Priority 1, indicating the highest level of urgency for immediate patching across enterprise environments.
1 week ago
Adobe Issues Out-of-Band Patches for AEM Forms Vulnerabilities With Public PoC
Adobe has released urgent security updates to resolve two AEM Forms vulnerabilities for which proof-of-concept (PoC) code exists.
1 week ago