Adobe Urges Immediate Update to Fix AEM Forms Zero-Days
Publication date: 2025-08-06
Introduction
On August 6, 2025, Adobe released an emergency patch for Adobe Experience Manager Forms (AEM Forms) after two critical vulnerabilities—publicly detailed with proof-of-concept exploits—remained unpatched. Administrators of standalone AEM Forms instances must upgrade to version 6.5.0-0108 immediately to prevent compromise.
AEM Forms lets enterprises build, manage and publish interactive digital forms integrated with Adobe’s Experience Cloud. Although Adobe addressed one of the three flaws in July, the other two were only remediated after they went public following the 90-day disclosure deadline.
Vulnerabilities Overview
On April 28, 2025, Assetnote reported three critical AEM Forms issues to Adobe:
- CVE-2025-49533: Insecure deserialization in
GetDocumentServletallowing remote code execution (CVSS 9.8). - CVE-2025-54254: XXE in Axis web services enabling arbitrary file reads (CVSS 8.6).
- CVE-2025-54253: Misconfigured security filter combined with Struts2 devMode for unauthenticated RCE (CVSS 10.0).
Adobe’s bulletins APSB25-67 (July 8) and APSB25-82 (August 5) classify all three as Priority 1. With working exploits for CVE-2025-54254/54253 circulating, any publicly reachable AEM Forms is at severe risk.
Benefits of Our CVE Reports
BaseFortify’s CVE reports combine public advisories with AI-driven analysis in a concise Q&A format, offering both:
By linking directly to our detailed pages, you gain immediate access to step-by-step mitigation advice and sample payloads tailored to each CVE.
Why Register at BaseFortify.eu?
Register for free at basefortify.eu/register to:
- Set up an asset watch list, tracking only the products and vulnerabilities you use.
- Quickly look up mitigation steps and patch instructions without sifting through long advisories.
Registration takes under a minute and ensures you never miss critical security updates for your environment.
Mitigation and Recommendations
1. Apply the August 5 patch—AEM Forms 6.5.0-0108—immediately to cover all three CVEs.
2. Restrict access: Only allow AEM Forms traffic over VPN or trusted networks; block /FormServer/servlet/GetDocumentServlet and /adminui/* at your firewall or web server.
3. Disable Struts2 devMode in production (struts.devMode=false).
4. Monitor logs for unexpected access attempts or malformed SOAP headers.
Even temporary access controls can significantly reduce risk until the patch is fully deployed.
References
- Security.nl: “Adobe komt met noodpatch voor kritieke lekken in Experience Manager Forms,” Aug 6 2025.
- Adobe APSB25-67 (July 8 2025): Initial patch for CVE-2025-49533.
- Adobe APSB25-82 (Aug 5 2025): Updates addressing CVE-2025-54254 & CVE-2025-54253.
- Searchlight Cyber: “Struts Devmode in 2025? Critical Pre-Auth Vulnerabilities in Adobe Experience Manager Forms,” July 29 2025.