Week 32 – Critical AEM Forms Exploit via Apache Struts
04 – 10 Aug 2025
Vulnerabilities don’t always require complex exploits or innovative tricks to be taken advantage of. In many cases, they stem from trivial development errors, misconfigurations or simply negligence.
Such is the case for this week’s star of our CVE of the Week series: Adobe Experience Manager Forms, abbreviated as AEM. AEM Forms is an easy way for businesses to build web forms to engage with customers. For maximum flexibility, it can be deployed as part of a standard AEM installation, or as a standalone Java application on a compatible app server.
Searchlight Cyber’s researchers encountered the latter solution during an engagement, which led to critical findings affecting the security of all AEM Forms deployments. These weaknesses are now tagged as CVE-2025-49533, CVE-2025-54253 and CVE-2025-54254. The first one was published and patched back in July, so we’ll focus on the other two in this post, especially CVE-2025-54253, as it allows easy remote code execution with no privileges required.
For the technical details, we need to take a step back and understand that AEM Forms is built using Apache Struts, an open-source MVC framework used to create Java web apps. To help development, the Struts framework has a configuration parameter called devMode, which increases log levels and enables additional debug features. It is a powerful tool – Apache’s documentation explicitly states that this option must be turned off in a production environment because of potential abuse. However, Adobe missed this crucial step before shipping AEM Forms and Struts devMode was left on in the final product. Combine this with a logical error that allows authentication bypass and you get full RCE via sandbox escape with OGNL expressions.
This story also highlights flaws in Adobe’s appsec processes. According to Searchlight Cyber, they notified the vendor of the three vulnerabilities in April, but the first patch was not released until almost three months later in July. To make matters worse, this patch only covered one bug (CVE-2025-49533). During this time, Searchlight sent multiple reminders to Adobe, stating that the disclosure deadline is coming soon, but no fixes were published for the remaining two issues. Finally they publicly posted their findings in an article on 29th July, which left Adobe no choice but to finally address them. CVE numbers were assigned and patches were released on 5th August.
Up until the latter date, many enterprise customers were left exposed to these attacks, possibly suffering data breaches as a consequence. For companies running AEM Forms, we recommend immediate patching and forensic investigation of the affected servers. Also, as stated in the Searchlight writeup, a WAF can make exploitation harder, but is not impossible to bypass.
Searchlight tech writeup: https://slcyber.io/assetnote-security-research-center/struts-devmode-in-2025-critical-pre-auth-vulnerabilities-in-adobe-experience-manager-forms/
Adobe advisory: https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html
NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-54253
White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024.
With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.
They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. Th