The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical security flaw in Adobe Experience Manager (AEM) to its Known Exploited Vulnerabilities (KEV) catalog on October 16, 2025, indicating that the vulnerability is being actively exploited. The misconfiguration bug, identified as CVE-2025-54253, has a maximum severity score of 10.0 and could allow for arbitrary code execution. The vulnerability affects AEM Forms on JEE versions 6.5.23.0 and earlier and was addressed by Adobe in a release in early August 2025. Due to the active exploitation, CISA has mandated that Federal Civilian Executive Branch agencies apply the necessary fixes by November 5, 2025. While there is no public information on the specific real-world attacks, Adobe has acknowledged that a proof-of-concept for the exploit is publicly available.