Imagine a critical flaw in a widely-used software tool, one that allows hackers to sneak past security measures and take control of entire systems—all without needing any interaction from users. This isn’t a hypothetical scenario; it’s happening right now. The Cybersecurity and Infrastructure Security Agency (CISA) has issued a stark warning: attackers are actively exploiting a maximum-severity vulnerability in Adobe Experience Manager (AEM), putting countless systems at risk. But here’s where it gets even more alarming—this flaw, tracked as CVE-2025-54253, has been left unpatched for over 90 days, despite being reported to Adobe back in April. And this is the part most people miss: the delay in patching wasn’t due to oversight but because Adobe prioritized fixing other issues first, leaving organizations exposed to a highly exploitable vulnerability.
Discovered by security researchers Adam Kues and Shubham Shah of Searchlight Cyber, this flaw stems from a misconfiguration in AEM Forms on JEE versions 6.5.23 and earlier. What makes it particularly dangerous is its simplicity: unauthenticated attackers can bypass security mechanisms and execute arbitrary code remotely, all in low-complexity attacks that require no user interaction. To put it in perspective, this is like leaving the front door of a fortress wide open while assuming the guards will keep intruders out.
But here’s the controversial part: Adobe only released a patch for CVE-2025-54253 on August 9th, after the researchers published a detailed write-up on July 29th explaining how the vulnerability works and how it can be exploited. By then, proof-of-concept exploit code was already circulating publicly. This raises a critical question: Should vendors be held more accountable for delays in patching high-severity flaws, especially when they’ve been privately disclosed? Let’s discuss this in the comments—do you think Adobe’s response was adequate, or should there be stricter consequences for such delays?
CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog, giving Federal Civilian Executive Branch (FCEB) agencies until November 5th to secure their systems. However, the agency didn’t stop there—it urged all organizations, including those in the private sector, to prioritize patching immediately. Their advice is clear: follow vendor instructions, apply mitigations, or discontinue use of the product if fixes aren’t available. As CISA bluntly stated, these vulnerabilities are a favorite tool for cybercriminals and pose a significant risk to federal and private enterprises alike.
For admins struggling to patch immediately, Searchlight Cyber offered a temporary solution: restrict Internet access to AEM Forms when deployed as a standalone application. While not ideal, it’s a stopgap measure to prevent exploitation until a patch can be applied.
And this is where it gets even more critical: vulnerabilities like CVE-2025-54253 aren’t just technical issues—they’re reminders of the broader challenges in cybersecurity. How do we balance the need for rapid innovation with the responsibility to secure systems? Are vendors doing enough to protect their users, or is the onus unfairly placed on organizations to fend for themselves? These questions don’t have easy answers, but they’re essential for shaping a safer digital future.
Speaking of the future of cybersecurity, if you’re looking to stay ahead of threats like these, mark your calendar for the Picus BAS Summit, the Security Validation Event of the Year. This isn’t just another conference—it’s your chance to hear from top experts and see how AI-powered Breach and Attack Simulation (BAS) is revolutionizing security validation. Don’t miss this opportunity to transform your security strategy and prepare for the challenges of tomorrow. Join us and be part of the movement shaping the future of cybersecurity.
