Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Adobe Experience Manager versions 6.5.22 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
AnalysisAI
CVE-2025-46840 is an Improper Authorization vulnerability in Adobe Experience Manager (AEM) versions 6.5.22 and earlier that allows low-privileged attackers to escalate privileges and bypass security controls, potentially achieving session takeover. The vulnerability requires user interaction and has a CVSS score of 8.7 with high confidentiality and integrity impact. While no active exploitation in the wild (KEV status) or public proof-of-concept is currently documented, the network-accessible attack vector and low attack complexity combined with privilege escalation capabilities make this a high-priority patch candidate for organizations running affected AEM instances.
Technical ContextAI
This vulnerability stems from CWE-285 (Improper Authorization), a class of flaws where access control mechanisms fail to properly validate user permissions before granting access to protected resources or operations. In the context of Adobe Experience Manager—an enterprise content management and digital experience platform—the authorization bypass likely affects access control lists (ACLs), role-based access control (RBAC), or permission inheritance mechanisms used to protect administrative functions, content repositories, or user management features. The vulnerability manifests through improper validation of user privileges when handling requests that require elevated permissions, allowing authenticated users with basic privileges to perform actions normally restricted to administrators or higher-privileged roles. This is particularly critical in AEM as it manages sensitive content, user data, and system configurations across enterprise environments.
RemediationAI
Immediate actions: (1) Identify and catalog all AEM 6.5.22 and earlier instances in your environment using vulnerability scanning tools or manual version checks via AEM admin console; (2) Apply the latest security patch immediately—Adobe typically releases patches as 6.5.23 or equivalent; check Adobe's official security advisories and PSIRT updates for exact patch versions; (3) Prioritize patching of internet-facing AEM instances and those handling sensitive content; (4) As interim mitigation pending patch deployment: (a) restrict network access to AEM instances via WAF, firewall rules, or IP whitelisting, limiting exposure to low-privilege authenticated users; (b) enforce multi-factor authentication (MFA) for AEM user accounts to reduce session takeover risk; (c) monitor access logs and session activity for anomalous privilege escalation attempts or unauthorized administrative actions; (d) review and audit current user role assignments and remove unnecessary elevated privileges; (5) After patching, validate remediation by re-scanning with security tools and reviewing authorization controls in test environments before production deployment. References: Monitor Adobe Security Bulletins (https://helpx.adobe.com/security.html) and Adobe PSIRT communications for official patch links and detailed remediation guidance.
More in Experience Manager
View allSitecore Experience Manager, Platform, and Commerce versions 9.0 through 10.4 contain a Zip Slip vulnerability that allo
Sitecore PowerShell Extensions through version 7.0 allows authenticated users to upload arbitrary files including ASPX w
Dispatcher before 4.1.5 in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0 does not properly implement a URL filter, wh
Adobe Experience Manager versions 6.5.23.0 and earlier contain a deserialization of untrusted data vulnerability that al
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 through 10.4.1 contain a hardcoded administr
The Servlets Post component 2.3.6 in Apache Sling, as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0, allows r
Multiple Sitecore products allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remote
Adobe Experience Manager 6.2 and earlier has a malicious file execution vulnerability. Rated critical severity (CVSS 9.8
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerabilit
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Sitecore Sitecore Experience Manager (XM), S
An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0
An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Comme
Same weakness CWE-285 – Improper Authorization
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17983