Two Critical Pre-Authentication Flaws in Adobe Experience Manager Forms Remain Unpatched, Searchlight Cyber Discloses

Brisbane, Australia – Searchlight Cyber's Assetnote Security Research Team has concluded its "Christmas in July" research initiative by disclosing details of two Remote Code Execution (RCE) vulnerabilities and one XML External Entity (XXE) flaw found in Adobe Experience Manager (AEM) Forms. The cybersecurity firm announced that one of the RCE vulnerabilities and the XXE flaw currently lack official patches from Adobe, posing a significant risk to users.

The vulnerabilities, all exploitable without authentication, were detailed in Searchlight Cyber's final research post for their July campaign. As stated in a social media post by "shubs," a member of the team, > "The @SLCyberSec research team is releasing our final research post for our Christmas in July efforts, two RCEs and one XXE (all pre-auth) in Adobe Experience Manager Forms. One of the RCEs and the XXE still do not have official patches."

One of the RCE vulnerabilities, identified as an insecure deserialization flaw (CVE-2025-49533), carries a critical CVSS score of 9.8. Successful exploitation of these pre-authentication vulnerabilities could allow attackers to execute arbitrary code on affected systems or access sensitive data, impacting the integrity and confidentiality of enterprise data managed through AEM Forms. Adobe Experience Manager is a widely adopted content management system used by numerous large enterprises globally.

While Adobe has issued various security updates for AEM, including APSB25-48 on July 21, 2025, which addressed multiple critical vulnerabilities, Searchlight Cyber's latest disclosure highlights specific unpatched issues. Adobe has provided mitigation advice for CVE-2025-49533, and the XXE flaw within AEM Forms web services is noted for its high risk due to its unauthenticated nature. This suggests that while some remedies might exist, a comprehensive official patch for these specific vulnerabilities is still pending.

This latest disclosure follows earlier findings by Searchlight Cyber in July, where they identified and reported three cross-site scripting (XSS) vulnerabilities in AEM, which Adobe subsequently patched. The ongoing discoveries underscore the continuous need for rigorous security testing and prompt patching in widely used enterprise software. Organizations utilizing Adobe Experience Manager Forms are advised to apply all available patches and follow mitigation guidance from Adobe and security researchers to protect their systems.