CVE-2025-49533

Name of the Vulnerable Software and Affected Versions Adobe Experience Manager (MS) versions 6.5.23.0 and earlier Adobe Experience Manager (AEM) Forms on JEE (affected versions not specified)

Description The software is susceptible to a Deserialization of Untrusted Data issue. Successful exploitation of this issue does not require user interaction and could allow a remote attacker to execute arbitrary code. The vulnerability resides in the FormServer module, specifically within the GetDocumentServlet endpoint. The servlet processes user-supplied data, decoding and deserializing it without proper validation. An attacker can send malicious data, potentially encoded in Base64 and compressed with gzip, to execute commands on the server. The API endpoint /FormServer/servlet/GetDocumentServlet is used to deliver the malicious payload. The vulnerable parameter is serDoc. A Python server can be used to emulate the deserialization process, demonstrating how a crafted payload can lead to Remote Code Execution (RCE).

Recommendations Update Adobe Experience Manager to a version later than 6.5.23.0. Update Adobe AEM Forms on JEE to a newer version that addresses this issue.