CVE-2025-54254

CWE-611 — XML External Entity (XXE)8 documents7 sources

Severity

8.6HIGH

EPSS

0.2%

top 59.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Adobe Adobe Experience Manager Adobe Experience Manager Forms

Timeline

PublishedAug 5

Latest updateAug 19

Description

Adobe Experience Manager versions 6.5.23 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the local file system, scope is changed. Exploitation of this issue does not require user interaction.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:NExploitability: 3.9 | Impact: 4.0

Affected Packages2 packages

▶CVEListV5adobe/adobe_experience_manager6.5.23

▶NVDadobe/experience_manager_forms6.5.23.0

🔴Vulnerability Details

GHSA

GHSA-6hv6-fgh2-5mjv: Adobe Experience Manager versions 6↗2025-08-05

▶

CVEList

Adobe Experience Manager | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)↗2025-08-05

▶

VulnCheck

Adobe experience_manager_forms Improper Restriction of XML External Entity Reference↗2025

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Adobe Experience Manager Forms XML External Entity Injection (CVE-2025-54254)↗2025-08-19

▶

🕵️Threat Intelligence

Bleepingcomputer

Adobe issues emergency fixes for AEM Forms zero-days after PoCs released↗2025-08-05

▶