1. Forum
  2. tqwNet
  3. TQW GENTECH

  • This Adobe AEM flaw is as dangerous as they come, and it's alread

    From TechnologyDaily@1337:1/100 to All on Thursday, October 16, 2025 14:30:08
    This Adobe AEM flaw is as dangerous as they come, and it's already being exploited

    Date:
    Thu, 16 Oct 2025 13:15:00 +0000

    Description:
    Patches released for two flaws, including a 10/10 one being actively used.

    FULL STORY ======================================================================Adobe patched two critical AEM flaws enabling code execution and file access
    without user interaction CISA added CVE-2025-54253 and CVE-2025-54254 to KEV, confirming active exploitation Agencies must patch by November 5; private sector urged to follow due to widespread risk

    Adobe recently patched two flaws in its Experience Manager product, including a maximum-severity one that allows malicious actors to execute arbitrary code .

    While the company said it is not aware of in-the-wild exploits, it did say that it saw proof-of-concept (PoC) exploits out there. Also, US Cybersecurity and Infrastructure Security Agency (CISA) added it to KEV (the known
    exploited vulnerability catalog), meaning it is being used in attacks.

    Adobe Experience Manager (AEM) is Adobes enterprise-level content management system (CMS) used for building and managing websites, mobile apps, and
    digital experiences. It helps large organizations create, organize, and deliver personalized content across different channels. Added to CISA's KEV

    The two flaws in question are tracked as CVE-2025-54253 and CVE-2025-54254. The former is described as a misconfiguration vulnerability that can be
    abused to bypass security mechanisms and has a severity score of 10/10 (critical).

    The latter is an improper restriction of XML External Entity Reference (XXE) vulnerability that results in arbitrary file system read and allows attackers to access sensitive files - without any user interaction. It was given a severity score of 8.6/10 (high).

    Both bugs were found in Adobe Experience Manager versions 6.5.23 and earlier. The patch, released in August this year, brings the tool to version 6.5.0-0108.

    On October 15, CISA added both flaws to its KEV catalog, confirming reports
    of abuse in the wild. When a bug is added to KEV, Federal Civilian Executive Branch (FCEB) agencies have a three-week deadline to apply available fixes
    and mitigations or stop using the vulnerable tools altogether.

    In Adobes case, agencies have until November 5, 2025, to apply the patches.

    While CISAs deadline only applies to FCEB agencies, other agencies and businesses in the private sector are advised to follow suit, since cybercriminals rarely differentiate between the two and will target whoever
    is vulnerable.

    Via The Hacker News

    Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the
    Follow button!

    And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too. You might also like Adobe patches 'most severe' flaw in Magento eCommerce
    platform Take a look at our guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/this-adobe-aem-flaw-is-as-dangerous-as- they-come-and-its-already-being-exploited


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)