When it comes to enterprise content management systems, Adobe Experience Manager (AEM) Forms is widely trusted for handling sensitive business workflows. But a recent discovery has shown that even industry-leading platforms aren't immune to serious security flaws.
Two critical zero-day vulnerabilities have been identified in Adobe AEM Forms on Java Enterprise Edition (JEE)—and they could allow attackers to run malicious code or access confidential data without your permission. If you're running an outdated version, this is one patch you can't afford to delay.
What's Been Discovered
Security researchers have flagged two severe vulnerabilities—CVE-2025-54253 and CVE-2025-54254—with CVSS 3.1 severity scores of 10.0 and 8.6, respectively. Adobe has given both the highest priority rating, meaning the risks are both real and urgent.
Breaking Down the Threats
1. CVE-2025-54253 – Maximum Risk (CVSS 10.0)
This flaw is the more dangerous of the two. It's caused by a misconfiguration issue that allows arbitrary code execution without any authentication or user interaction. Worse still, it's network-accessible and has low complexity requirements—making it especially dangerous for internet-facing AEM Forms deployments.
2. CVE-2025-54254 – XXE Exploit (CVSS 8.6)
The second vulnerability comes from improperly restricted XML External Entity (XXE) handling. This opens the door for attackers to read files from the affected server's file system, potentially exposing sensitive data such as:
Who's Affected
Both vulnerabilities affect Adobe Experience Manager (AEM) Forms on JEE, versions 6.5.23.0 and earlier, across all supported platforms. If your organization uses AEM Forms in any capacity, you'll want to verify your version right away.
Why This Is Urgent
The situation is made even more serious by the fact that proof-of-concept exploits are already public. While Adobe says there's no evidence of these vulnerabilities being used in active attacks yet, public exploits mean it's only a matter of time before malicious actors take advantage.
How to Protect Your Systems
Adobe has issued a fix in AEM Forms version 6.5.0-0108, which addresses both vulnerabilities. The update carries a Priority 1 classification, signaling that organizations should treat it as immediately critical.
Recommended actions:
Detailed update steps are available through Adobe's Experience League documentation.
Final Thoughts
Zero-day vulnerabilities are the worst kind of security threat—they give attackers a head start before most organizations even know there's a problem. In this case, the combination of remote code execution and file access makes these AEM Forms flaws especially dangerous for businesses handling sensitive data.
If you're running AEM Forms on JEE and haven't patched yet, consider this your final warning—patch now, or risk becoming the next case study in preventable breaches.