Introduction
Sensitive files on production servers can be exposed to unauthenticated attackers due to a critical XML External Entity (XXE) flaw in Adobe Experience Manager (AEM) Forms on JEE. Organizations relying on AEM Forms for document processing and workflow automation need to act quickly to prevent data leakage and potential follow-on attacks.
About Adobe Experience Manager (AEM) and AEM Forms: Adobe is a major provider of enterprise digital experience solutions, with AEM widely used by large organizations for content management, digital asset management, and forms processing. AEM Forms on Java Enterprise Edition (JEE) is a core component in many enterprise document workflows, making vulnerabilities in this product highly impactful across industries.
Technical Information
CVE-2025-54254 is caused by improper restriction of XML External Entity (XXE) references in AEM Forms on JEE. The vulnerability exists in all versions up to and including 6.5.23.0. When the application parses XML input, it fails to properly restrict external entity declarations. An attacker can submit specially crafted XML containing external entity references that point to files on the server's filesystem. The XML parser processes these entities, allowing the attacker to read arbitrary files from the server.
Key technical points:
- The vulnerability is pre-authentication and requires no user interaction.
- Attackers can target any endpoint in AEM Forms on JEE that accepts XML input.
- Exploitation allows reading of sensitive files such as configuration files, credentials, or other data stored on the server.
- The root cause is the use of an XML parser that does not disable external entity resolution, violating secure XML processing best practices (CWE-611).
No code snippets or vulnerable endpoint details have been published in official advisories or public sources as of this writing.
Proof of Concept
Adobe has acknowledged the existence of publicly available proof-of-concept (PoC) exploits for two critical vulnerabilities in Adobe Experience Manager (AEM) Forms on Java Enterprise Edition (JEE):
-
CVE-2025-54253: This vulnerability arises from a misconfiguration that can lead to arbitrary code execution. An attacker could exploit this by sending specially crafted requests to the affected AEM Forms instance, potentially allowing them to execute arbitrary code on the server.
-
CVE-2025-54254: This issue stems from improper restriction of XML External Entity (XXE) references, leading to arbitrary file system read. By submitting maliciously crafted XML data, an attacker could exploit this vulnerability to read sensitive files from the server's file system.
While specific technical details and code snippets of these PoCs are not provided in the available sources, the existence of such exploits underscores the importance of promptly applying the security updates released by Adobe to mitigate these vulnerabilities.
References:
Patch Information
Adobe has released a security update for Adobe Experience Manager (AEM) Forms on Java Enterprise Edition (JEE) to address critical vulnerabilities that could lead to arbitrary code execution and arbitrary file system read. (helpx.adobe.com)
Vulnerabilities Addressed:
- CVE-2025-54254: Improper Restriction of XML External Entity Reference (XXE) leading to arbitrary file system read.
- CVE-2025-54253: Misconfiguration leading to arbitrary code execution.
Severity Ratings:
- CVE-2025-54254: Critical, with a CVSS base score of 8.6.
- CVE-2025-54253: Critical, with a CVSS base score of 10.0.
Affected Versions:
- AEM Forms on JEE versions 6.5.23.0 and earlier.
Solution:
Adobe recommends users update their installations to the latest version, 6.5.0-0108, to mitigate these vulnerabilities. (helpx.adobe.com)
Update Instructions:
-
Backup Your Environment:
- Back up your CRX Repository, Database Schema, and Global Document Storage (GDS).
- Back up the
<AEM_forms_root>/deploy
folder.
-
Download Required Software:
- AEM Forms on JEE Service Pack.
- Fragment Servlet.
- AEM Service Pack.
- Forms add-on package.
-
Install Microsoft Visual C++ Redistributable Packages:
- Download and install the 64-bit version of Microsoft Visual C++ Redistributable packages for Visual Studio 2015, 2017, 2019, and 2022 on the computer where AEM 6.5 Forms is installed.
-
Install AEM Forms on JEE Service Pack:
- Stop your application server.
- Extract the AEM Forms on JEE Service Pack installer archive to your hard drive.
- Run the installer and follow the on-screen instructions.
-
Install the Servlet Fragment (if not installed):
- Download the fragment from the Software Distribution portal.
- Start the application server and check the bundle state.
- Open Web Console Bundles and install the downloaded fragment.
- Stop the application server.
-
Install AEM Service Pack:
- Restart the instance before installation if the instance is in update mode.
- Take a snapshot or a fresh backup of your Experience Manager instance.
- Download the service pack from Software Distribution.
- Open Package Manager, upload, and install the package.
-
Install AEM Forms Add-on Package:
- Ensure that you have installed the Experience Manager service pack.
- Download the corresponding Forms add-on package for your operating system.
- Install the Forms add-on package as described in the installation instructions.
Validation:
- Verify that the product information page (
/system/console/productinfo
) displays the updated version stringAdobe Experience Manager (spversion)
under Installed Products. - Ensure all OSGi bundles are either ACTIVE or FRAGMENT in the OSGi Console (
/system/console/bundles
). - Confirm that the OSGi bundle
org.apache.jackrabbit.oak-core
is version 1.22.14 or later.
By following these steps, you can effectively apply the security update to mitigate the identified vulnerabilities in AEM Forms on JEE. (experienceleague.adobe.com)
Affected Systems and Versions
- Product: Adobe Experience Manager (AEM) Forms on Java Enterprise Edition (JEE)
- Affected Versions: All versions up to and including 6.5.23.0
- Vulnerable Configurations: Any deployment of AEM Forms on JEE that has not been updated to 6.5.0-0108
Vendor Security History
Adobe has a history of regular security updates for AEM products. In 2025, multiple critical vulnerabilities were disclosed in AEM Forms, including CVE-2025-54253 (arbitrary code execution) and CVE-2025-54254 (XXE file read). Adobe responded promptly with advisories and patches. However, the recurrence of XML and configuration-related vulnerabilities indicates ongoing challenges in secure development practices for complex enterprise products like AEM Forms.