CVSS 10.0, public exploit, and active exploitation— The American security agency CISA has added a critical bug in Adobe Experience Manager to its catalog of known exploitable vulnerabilities, citing confirmed ongoing attacks.
This refers to CVSS 10—a configuration error CVE-2025-54253, which allows arbitrary code execution.
The issue was described in detail by Adam Cuse and Shubham Shah of Searchlight Cyber, who demonstrated that the flaw consists of a chain of authentication bypass and remote command execution via the Struts2 framework's devmode.
The key culprit is an unprotected /adminui/debug servlet: it accepts user-entered OGNL expressions and interprets them as Java code, without requiring login or validating the input.
According to FireCompass, this entry point allows for an attack to be carried out with a single, specially crafted HTTP request
