Adobe has launched an emergency replace for 2 zero-day defects in Adobe Expertise Supervisor (AEM) varieties in JEE after the POC exploit chain was disclosed.
The defects are tracked as CVE-2025-54253 and CVE-2025-54254.
- CVE-2025-54253: False impression that enables for arbitrary code execution. It was rated as “essential” with a CVSS rating of 8.6.
- CVE-2025-54254: Inappropriate limitations within the XML Exterior Entity Reference (XXE) trigger any file system to be learn. Most worth: 10.0 CVSS rating was rated as “essential”.
Adobe has fastened a flaw within the newest model as defined on this advisory.
The vulnerability was found by Shubham Shah and Adam Kues of Searchlight Cyber, whom he disclosed to Adobe on April 28, 2025.
Adobe first patched CVE-2025-49533 on August fifth, and for greater than 90 days the opposite two defects had not been unlocked.
After warning Adobe about their disclosure timeline, researchers printed a technical article on July twenty ninth detailing how the vulnerability works and the way it may be exploited.
In accordance with researchers, CVE-2025-49533 is a flaw within the Java de-aggregation of kind server modules that enable uncertified distant code execution (RCE). The servlet processes the information that the person has extracted by decoding and eradicating with out verification, permitting the attacker to ship malicious payloads to execute instructions on the server.
The XXE vulnerability tracked as CVE-2025-54254 impacts net companies that deal with SOAP authentication. By sending a specifically created XML payload, an attacker can trick the service into exposing native information resembling win.ini with out authentication.
Lastly, the defect in CVE-2025-54253 is attributable to authentication bypassing the /adminui module along with the wrong developer configuration.
Researchers found that Struts2’s growth mode was incorrectly enabled, permitting attackers to execute OGNL expressions by way of debug parameters despatched in HTTP requests.
It’s endorsed that each one directors set up the most recent updates and hotfixes as quickly as doable, as flaws enable distant code execution on susceptible servers.
If that isn’t doable, researchers strongly advocate limiting entry to the platform from the Web.
