Adobe Experience Manager Forms vulnerabilities overview

In April 2025, the Searchlight Cyber Research Team identified three critical vulnerabilities in Adobe Experience Manager (AEM) Forms. As of now, 90 days post-disclosure, Adobe has only patched one vulnerability: an insecure deserialization flaw leading to command execution (CVE-2025-49533).

Adobe Experience Manager Forms vulnerabilities overviewAdobe Experience Manager Forms vulnerabilities overview

The other two vulnerabilities— an authentication bypass to remote code execution (RCE) via Struts2 devmode (SL-AEM-FORMS-1) and an XML External Entity (XXE) vulnerability in AEM Forms web services (SL-AEM-FORMS-2)—remain unpatched.

We strongly advise restricting external internet access to AEM Forms when deployed as a standalone application.

Adobe Experience Manager Forms vulnerabilities overviewAdobe Experience Manager Forms vulnerabilities overview

Conclusion

The vulnerabilities in AEM Forms are relatively straightforward and should have been identified earlier, especially given the product's long history. The presence of Struts DevMode enabled by default raises concerns about potential RCE escalation. We recommend that customers using AEM Forms in standalone mode limit access to internal users and networks only until all vulnerabilities are fully addressed.