Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
The US cyber agency says CVE-2025-54253 is being actively exploited and could lead to remote code execution.
The United States Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability in the Adobe Experience Manager to its Known Exploited Vulnerabilities Catalog.
CISA made the addition on 16 October, noting CVE-2025-54253 is a “type of vulnerability [that] is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise”.
Specifically, CVE-2025-54253 – present in versions 6.5.23 and earlier of Adobe Experience Manager – is a misconfiguration vulnerability that could lead to arbitrary code execution.
“An attacker could leverage this vulnerability to bypass security mechanisms and execute code,” the CVE listing – first reported in August and updated last week – said.
“Exploitation of this issue does not require user interaction and scope is changed.”
At the time of the original disclosure of the vulnerability, Adobe said it was aware of a publicly available proof of concept, but it was not aware of any active exploitation.
CVE-2025-54253 rates a CVSS score of a perfect 10, making it critical severity. Another vulnerability, CVE-2025-54254, was disclosed by Adobe at the same time. This flaw is also critical, with a CVSS score of 8.6, but does not appear to be actively exploited at this point.
Updating Adobe Experience Manager to the latest available version will address the vulnerability.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
