Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack

The Hacker News by The Hacker News
October 16, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Oct 16, 2025Ravie LakshmananVulnerability / Data Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Adobe Experience Manager to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability in question is CVE-2025-54253 (CVSS score: 10.0), a maximum-severity misconfiguration bug that could result in arbitrary code execution.

According to Adobe, the shortcoming impacts Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier. It was addressed in version 6.5.0-0108 released early August 2025, alongside CVE-2025-54254 (CVSS score: 8.6).

The flaw results from the dangerously exposed /adminui/debug servlet, which evaluates user-supplied OGNL expressions as Java code without requiring authentication or input validation,” security company FireCompass noted. “The endpoint’s misuse enables attackers to execute arbitrary system commands with a single crafted HTTP request.”

DFIR Retainer Services

There is currently no information publicly available on how the security flaw is being exploited in real-world attacks, although Adobe acknowledged in its advisory that “CVE-2025-54253 and CVE-2025-54254 have a publicly available proof-of-concept.”

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are advised to apply the necessary fixes by November 5, 2025.

The development comes a day after CISA also added a critical improper authentication vulnerability in SKYSEA Client View (CVE-2016-7836, CVSS score: 9.8) to the KEV catalog. Japan Vulnerability Notes (JVN), in an advisory released in late 2016, said “attacks exploiting this vulnerability have been observed in the wild.”

“SKYSEA Client View contains an improper authentication vulnerability that allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program,” the agency said.



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
ESR and Colt DCS Announce Joint Venture on New Osaka Data Centre Development

ESR and Colt DCS Announce Joint Venture on New Osaka Data Centre Development

Recommended.

Vero Fiber Networks Finalizes Acquisition of Velocity Fiber, Accelerating Growth in K-12 E-Rate Sector

Vero Fiber Networks Finalizes Acquisition of Velocity Fiber, Accelerating Growth in K-12 E-Rate Sector

July 2, 2026
Datacentre dive: Do AI datacentre physics make on-premise unviable? | Computer Weekly

Datacentre dive: Do AI datacentre physics make on-premise unviable? | Computer Weekly

May 27, 2026

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio