Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-54249Server-Side Request Forgery in Adobe Experience Manager

CWE-918Server-Side Request Forgery6 documents6 sources
Severity
6.5MEDIUMNVD
EPSS
6.3%
top 8.99%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Adobe Experience ManagerAdobe Experience Manager
Timeline
PublishedSep 9

Description

Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to manipulate server-side requests and bypass security controls allowing unauthorized read access.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDadobe/experience_manager6.5.23.0+2
CVEListV5adobe/adobe_experience_manager6.5.23.0

🔴Vulnerability Details

3
GHSA
GHSA-6jw2-rv23-6vmg: Adobe Experience Manager versions 62025-09-09
CVEList
Adobe Experience Manager | Server-Side Request Forgery (SSRF) (CWE-918)2025-09-09
VulnCheck
Adobe experience_manager Server-Side Request Forgery (SSRF)2025

💥Exploits & PoCs

1
Nuclei
Adobe Experience Manager ≤ 6.5.23.0 – SSRF
CVE-2025-54249 — Server-Side Request Forgery in Adobe | cvebase