The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Wednesday added a vital security flaw impacting Adobe Expertise Supervisor to its Identified Exploited Vulnerabilities (KEV) catalog, primarily based on proof of lively exploitation.
The vulnerability in query is CVE-2025-54253 (CVSS rating: 10.0), a maximum-severity misconfiguration bug that might end in arbitrary code execution.
In keeping with Adobe, the shortcoming impacts Adobe Expertise Supervisor (AEM) Kinds on JEE variations 6.5.23.0 and earlier. It was addressed in model 6.5.0-0108 launched early August 2025, alongside CVE-2025-54254 (CVSS rating: 8.6).
The flaw outcomes from the dangerously uncovered /adminui/debug servlet, which evaluates user-supplied OGNL expressions as Java code with out requiring authentication or enter validation,” security firm FireCompass famous. “The endpoint’s misuse permits attackers to execute arbitrary system instructions with a single crafted HTTP request.”
There’s at the moment no info publicly accessible on how the security flaw is being exploited in real-world assaults, though Adobe acknowledged in its advisory that “CVE-2025-54253 and CVE-2025-54254 have a publicly accessible proof-of-concept.”
In gentle of lively exploitation, Federal Civilian Govt Department (FCEB) businesses are suggested to use the mandatory fixes by November 5, 2025.
The event comes a day after CISA additionally added a vital improper authentication vulnerability in SKYSEA Shopper View (CVE-2016-7836, CVSS rating: 9.8) to the KEV catalog. Japan Vulnerability Notes (JVN), in an advisory launched in late 2016, stated “assaults exploiting this vulnerability have been noticed within the wild.”
“SKYSEA Shopper View incorporates an improper authentication vulnerability that enables distant code execution through a flaw in processing authentication on the TCP reference to the administration console program,” the company stated.
