Skip to main content

Experience Manager CVE-2025-49533

| EUVD-2025-20752 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2025-07-08 psirt@adobe.com
RCE Deserialization Adobe Experience Manager
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 04:21 euvd
EUVD-2025-20752
Analysis Generated
Mar 16, 2026 - 04:21 vuln.today
CVE Published
Jul 08, 2025 - 22:15 nvd
CRITICAL 9.8

DescriptionNVD

Adobe Experience Manager (MS) versions 6.5.23.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction. Scope is unchanged.

AnalysisAI

Adobe Experience Manager versions 6.5.23.0 and earlier contain a deserialization of untrusted data vulnerability that allows unauthenticated remote code execution. No user interaction is required, making this a direct attack against enterprise content management infrastructure.

Technical ContextAI

AEM deserializes untrusted Java objects from network requests without proper class filtering. Using known Java deserialization gadget chains, an attacker can achieve arbitrary code execution on the AEM server. The vulnerability requires no authentication and no user interaction, providing a direct remote attack path.

RemediationAI

Apply the latest AEM security patch from Adobe. Implement Java deserialization filters (JEP 290). Restrict network access to AEM publishing and authoring instances. Monitor AEM error logs for deserialization exceptions.

Share

CVE-2025-49533 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy