Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.
An attacker can remotely, without needing an account or user interaction, exploit the system's misconfiguration to bypass security mechanisms. Successful exploitation results in a scope change, meaning the impact of the attack may extend beyond the directly vulnerable component. This allows for arbitrary code execution on the server side with potentially broad privileges.
An attacker can gain full control over the vulnerable server through remote code execution (RCE), which threatens the confidentiality, integrity, and availability of the system and data stored within it.
Apply patches available from the vendor immediately according to Adobe security bulletin APSB25-82 (https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html). Due to active exploitation in the production environment, the update should be performed as a priority.
Adobe Experience Manager Forms in versions 6.5.23 and earlier.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HAdobe Experience Manager Forms
APPAdobe≤ 6.5.23.0
CISA KEV — detailsi
- Vendori
- Adobe ↗
- Producti
- Experience Manager (AEM) Forms
- Added to KEVi
- October 15, 2025
- Remediation deadline (US Federal)i
- November 5, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Adobe Experience Manager Forms in JEE contains an unspecified vulnerability that allows for arbitrary code execution.
Related vulnerabilities
The AEM Forms add-on for versions 6.5.5.0 (and below) and 6.4.8.2 (and below) are affected by a stored XSS vul...
Adobe Experience Manager versions 6.5.23 and earlier are affected by an Improper Restriction of XML External E...
An AEM java servlet in AEM versions 6.5.5.0 (and below) and 6.4.8.1 (and below) executes with the permissions ...
Adobe Experience Manager Forms versions 6.2, 6.1, 6.0 have an information disclosure vulnerability resulting f...
Adobe Experience Manager Forms versions 6.3-6.5 have a reflected cross-site scripting vulnerability. Successfu...