ÃÛ¶¹ÊÓƵ

DocumentationAEM 6.5User Guide

Mitigating RCE (CVE-2025-49533), Struts Dev Mode Configuration (CVE-2025-54253), XXE (CVE-2025-54254), and Vulnerabilities for AEM Forms on JEE mitigating-xxe-configuration-rce-vulnerabilities-aem-forms

Last update: Thu Aug 14 2025 00:00:00 GMT+0000 (Coordinated Universal Time)
  • Applies to:
  • Experience Manager 6.5

CREATED FOR:

  • Admin

Quick Reference

Impact Level
Affected Versions
Recommended Action
Critical
AEM 6.5 Forms on JEE Service Pack 23 (6.5.23.0)
Install latest hotfix
Critical
AEM 6.5 Forms on JEE Service Pack 18 to 22 (6.5.18.0 - 6.5.22.0)
Manually install the fixes
Critical
AEM 6.5 Forms on JEE Service Pack 17 (6.5.17.0) or earlier
Upgrade to a supported Service Pack version, then apply the recommended mitigation steps for your new version
Not Affected
AEM Forms on OSGi, Workbench, Cloud Service
No action required

Vulnerabilities Addressed:

  • Remote code execution (CVE-2025-49533)
  • Configuration security issues (CVE-2025-54253)
  • XML External Entity (XXE) processing (CVE-2025-54254)

Overview

What’s Affected

Vulnerability
Impact
Affected Components
CVE-2025-49533: Remote Code Execution
Unauthenticated code execution in GetDocumentServlet
AEM 6.5 Forms on JEE Service Pack 23 (6.5.23.0) and earlier
CVE-2025-54253: Configuration Issues
Struts development mode enabled in admin UI
AEM 6.5 Forms on JEE Service Pack 23 (6.5.23.0) and earlier
CVE-2025-54254: XXE Processing
Document Security module allows unauthorized file access
AEM 6.5 Forms on JEE Service Pack 23 (6.5.23.0) and earlier

What’s Not Affected

  • Experience Manager Forms Workbench (all versions)
  • Experience Manager Forms on OSGi (all versions)
  • Experience Manager Forms as a Cloud Service

Resolution Options

Before You Start

Before making any changes, take a backup of the EAR file or DSC file you’re about to modify or update:

  • Locate the original EAR or DSC file in your deployment directory.
  • Copy the file to a secure backup location outside the deployment directory.
  • Ensure the backup is complete and accessible before proceeding with any updates.

This precaution allows you to restore the original state in case you encounter any issues during the update process.

Option 1: (For users on version 6.5.23.0) Install Latest Hotfix

  1. Download the hotfix for 6.5.23.0.

  2. Follow standard hotfix/patch installation instructions

  3. If you are using Document Security (formerly Rights Management) on IBM WebSphere or Oracle WebLogic, set the following Java system property (JVM argument) before starting the AEM Forms server:

    code language-none 
    -Dcom.adobe.forms.jee.services.allowDoctypeDeclaration=true

  4. Restart the application server

Option 2: (For users on 6.5.18.0 - 6.5.22.0) Manual Hotfix Installation

Manual Hotfix Installation for 6.5.18.0 through 6.5.22.0

Step 1: Download and Extract the Hotfix Package

Step 2: Navigate to the Correct Version Folder

  • Based on the Service Pack version installed on your environment, go to the matching folder.

    Example for Service Pack 20 the folder is:

    code language-none 
    <extracted-hotfix>/SP20/

Step 3: Locate the Deployment Directory

  • On your AEM Forms on JEE server, go to:

    code language-none 
    [AEM installation directory]/deploy

    Example: adobe/adobe-experience-manager-forms/deploy

Step 4: Update and replace the EAR files

tabs
JBoss

  1. Open adobe-core-jboss.ear and replace adminui.war with

    code language-none 
    adobe-xxe-configuration-hotfix/SP[version]/jboss/adminui.war

    For example, adobe-xxe-configuration-hotfix/SP20/jboss/adminui.war

  2. Inside the adobe-core-jboss.ear, go to the lib/ folder and replace adobe-uisupport.jar with:

    code language-none 
    adobe-xxe-configuration-hotfix/SP[version]/adobe-uisupport.jar

    For example, adobe-xxe-configuration-hotfix/SP20/adobe-uisupport.jar

  3. Save the EAR. Ensure changes are saved properly.

  4. Replace adobe-edcserver-jboss.ear with

    code language-none 
    adobe-xxe-configuration-hotfix/SP[version]/jboss/adobe-edcserver-jboss.ear

    For example, adobe-xxe-configuration-hotfix/SP20/jboss/adobe-edcserver-jboss.ear

  5. Replace adobe-forms-jboss.ear with

    code language-none 
    adobe-xxe-configuration-hotfix/SP[version]/jboss/adobe-forms-jboss.ear

    For example, adobe-xxe-configuration-hotfix/SP20/jboss/adobe-forms-jboss.ear
WebLogic

  1. Open adobe-core-weblogic.ear and replace adminui.war with

    code language-none 
    adobe-xxe-configuration-hotfix/SP[version]/weblogic/adminui.war

    For example, adobe-xxe-configuration-hotfix/SP20/weblogic/adminui.war

  2. Inside the adobe-core-weblogic.ear, replace adobe-uisupport.jar with:

    code language-none 
    adobe-xxe-configuration-hotfix/SP[version]/adobe-uisupport.jar

    For example, adobe-xxe-configuration-hotfix/SP20/adobe-uisupport.jar

  3. Save the EAR. Ensure changes are saved properly.

  4. Replace adobe-edcserver-weblogic.ear with

    code language-none 
    adobe-xxe-configuration-hotfix/SP[version]/weblogic/adobe-edcserver-weblogic.ear

    For example, adobe-xxe-configuration-hotfix/SP20/weblogic/adobe-edcserver-weblogic.ear

  5. Replace adobe-forms-weblogic.ear with

    code language-none 
    adobe-xxe-configuration-hotfix/SP[version]/weblogic/adobe-forms-weblogic.ear

    For example, adobe-xxe-configuration-hotfix/SP20/weblogic/adobe-forms-weblogic.ear
WebSphere

  1. Open adobe-core-websphere.ear and replace adminui.war with

    code language-none 
    adobe-xxe-configuration-hotfix/SP[version]/websphere/adminui.war

    For example, adobe-xxe-configuration-hotfix/SP20/websphere/adminui.war

  2. Inside the adobe-core-websphere.ear, replace adobe-uisupport.jar with:

    code language-none 
    adobe-xxe-configuration-hotfix/SP[version]/adobe-uisupport.jar

    For example, adobe-xxe-configuration-hotfix/SP20/adobe-uisupport.jar

  3. Save the EAR. Ensure changes are saved properly.

  4. Replace adobe-edcserver-websphere.ear with

    code language-none 
    adobe-xxe-configuration-hotfix/SP[version]/websphere/adobe-edcserver-websphere.ear

    For example, adobe-xxe-configuration-hotfix/SP20/websphere/adobe-edcserver-websphere.ear

  5. Replace adobe-forms-websphere.ear with

    code language-none 
    adobe-xxe-configuration-hotfix/SP[version]/websphere/adobe-forms-websphere.ear

    For example, adobe-xxe-configuration-hotfix/SP20/websphere/adobe-forms-websphere.ear

Step 5: Update adobe-rightsmanagement-<appserver>-dsc.jarfile with

code language-none 
adobe-xxe-configuration-hotfix/SP[version]/<appserver>/adobe-rightsmanagement-<appserver>-dsc.jar

For example, adobe-xxe-configuration-hotfix/SP20/jboss/adobe-rightsmanagement-jboss-dsc.jar

Step 6: Additional Configuration for Document Security on WebSphere and WebLogic:

If you are using Document Security (formerly Rights Management), set the following Java system property (JVM argument) before starting the AEM Forms server:

code language-none 
-Dcom.adobe.forms.jee.services.allowDoctypeDeclaration=true

Step 7: Re-run the Configuration Manager

  • Launch the Configuration Manager to re-deploy the updated EAR and apply the hotfix

Option 3: (For users on 6.5.17.0 and earlier) Upgrade Path

  1. Upgrade to a supported Service Pack version
  2. Follow Option 1 or Option 2 above based on your new version

References

recommendation-more-help
19ffd973-7af2-44d0-84b5-d547b0dffee2