1.0 Introduction
Recently, Adobe released and emergency security updates to address two critical zero-day vulnerabilities in AEM Forms on JEE tracked as CVE-2025-54253: Arbitrary Code Execution and CVE-2025-54254: XML External Entity (XXE) Injection.
2.0 Impact
These vulnerabilities allow attackers to bypass security mechanisms and execute arbitrary code on affected systems. Exploitation does not require user interaction, and the scope of impact is elevated, making it especially dangerous for internet-facing or internal AEM instances. Furthermore, attackers can exploit this flaw to read arbitrary files from the local file systems, potentially exposing sensitive data such as credentials, configuration files, or internal documentation.
3.0 Affected Products
- Adobe AEM Forms on JEE versions 6.5.23.0 and earlier.
4.0 Recommendations
CyberSecurity Malaysia encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates:
Generally, Cyber999 advise the users to be updated with the latest security announcements released by Adobe and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact Cyber999 Incident Response Centre through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web: https://www.cybersecurity.my
5.0 References