Skip to main content

Experience Manager CVE-2025-46840

| EUVDEUVD-2025-17983 HIGH
Improper Authorization (CWE-285)
2025-06-10 psirt@adobe.com
8.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17983
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
CVE Published
Jun 10, 2025 - 23:15 nvd
HIGH 8.7

DescriptionCVE.org

Adobe Experience Manager versions 6.5.22 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.

AnalysisAI

CVE-2025-46840 is an Improper Authorization vulnerability in Adobe Experience Manager (AEM) versions 6.5.22 and earlier that allows low-privileged attackers to escalate privileges and bypass security controls, potentially achieving session takeover. The vulnerability requires user interaction and has a CVSS score of 8.7 with high confidentiality and integrity impact. While no active exploitation in the wild (KEV status) or public proof-of-concept is currently documented, the network-accessible attack vector and low attack complexity combined with privilege escalation capabilities make this a high-priority patch candidate for organizations running affected AEM instances.

Technical ContextAI

This vulnerability stems from CWE-285 (Improper Authorization), a class of flaws where access control mechanisms fail to properly validate user permissions before granting access to protected resources or operations. In the context of Adobe Experience Manager—an enterprise content management and digital experience platform—the authorization bypass likely affects access control lists (ACLs), role-based access control (RBAC), or permission inheritance mechanisms used to protect administrative functions, content repositories, or user management features. The vulnerability manifests through improper validation of user privileges when handling requests that require elevated permissions, allowing authenticated users with basic privileges to perform actions normally restricted to administrators or higher-privileged roles. This is particularly critical in AEM as it manages sensitive content, user data, and system configurations across enterprise environments.

RemediationAI

Immediate actions: (1) Identify and catalog all AEM 6.5.22 and earlier instances in your environment using vulnerability scanning tools or manual version checks via AEM admin console; (2) Apply the latest security patch immediately—Adobe typically releases patches as 6.5.23 or equivalent; check Adobe's official security advisories and PSIRT updates for exact patch versions; (3) Prioritize patching of internet-facing AEM instances and those handling sensitive content; (4) As interim mitigation pending patch deployment: (a) restrict network access to AEM instances via WAF, firewall rules, or IP whitelisting, limiting exposure to low-privilege authenticated users; (b) enforce multi-factor authentication (MFA) for AEM user accounts to reduce session takeover risk; (c) monitor access logs and session activity for anomalous privilege escalation attempts or unauthorized administrative actions; (d) review and audit current user role assignments and remove unnecessary elevated privileges; (5) After patching, validate remediation by re-scanning with security tools and reviewing authorization controls in test environments before production deployment. References: Monitor Adobe Security Bulletins (https://helpx.adobe.com/security.html) and Adobe PSIRT communications for official patch links and detailed remediation guidance.

CVE-2025-34510 HIGH POC
8.8 Jun 17

Sitecore Experience Manager, Platform, and Commerce versions 9.0 through 10.4 contain a Zip Slip vulnerability that allo

CVE-2025-34511 HIGH POC
8.8 Jun 17

Sitecore PowerShell Extensions through version 7.0 allows authenticated users to upload arbitrary files including ASPX w

CVE-2016-0957 HIGH POC
7.5 Feb 10

Dispatcher before 4.1.5 in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0 does not properly implement a URL filter, wh

CVE-2025-49533 CRITICAL POC
9.8 Jul 08

Adobe Experience Manager versions 6.5.23.0 and earlier contain a deserialization of untrusted data vulnerability that al

CVE-2025-34509 HIGH POC
7.5 Jun 17

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 through 10.4.1 contain a hardcoded administr

CVE-2016-0956 HIGH POC
7.5 Feb 10

The Servlets Post component 2.3.6 in Apache Sling, as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0, allows r

CVE-2023-35813 CRITICAL POC
9.8 Jun 17

Multiple Sitecore products allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2017-3108 CRITICAL
9.8 Aug 11

Adobe Experience Manager 6.2 and earlier has a malicious file execution vulnerability. Rated critical severity (CVSS 9.8

CVE-2025-54249 MEDIUM POC
6.5 Sep 09

Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerabilit

CVE-2025-53694 HIGH POC
7.5 Sep 03

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Sitecore Sitecore Experience Manager (XM), S

CVE-2024-46938 HIGH POC
7.5 Sep 15

An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0

CVE-2023-33651 HIGH POC
7.5 Jun 06

An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Comme

Share

CVE-2025-46840 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy