Adobe Experience Manager SSRF: when your CMS dials your internal apps behind your back
The CrowdSec Network has detected a wave of exploitation attempts targeting CVE-2025-54249 in Adobe Experience Manager (AEM). CVE-2025-54249 allows attackers to get AEM to do network requests on their behalf. This technique, referred to as server-side request forgery (SSRF), often enables attackers to deepen their attack by targeting internal services connected to AEM. While the vulnerability itself has medium severity, connected services such as marketing databases and CRM systems might be vulnerable and critically unpatched. CrowdSec intelligence has detected around 70 distinct IPs probing for this vulnerability. The vulnerability affects all versions of Adobe Experience Manager before 6.5.23.0.
CrowdSec’s key findings on CVE-2025-54249
- The vulnerability was released on September 9, 2025, with CrowdSec coverage and telemetry showing exploitation attempts starting October 16, 2025.
- Exploitation attempts have been discovered almost immediately after the release of the detection rule, suggesting ongoing exploitation campaigns.
- The vulnerability has not yet been added to the CISA Known Exploited Vulnerabilities (KEV) list, but based on the data we have available, we recommend immediate remediation.
What is Adobe Experience Manager (AEM)?
AEM is Adobe’s enterprise digital experience/CMS platform used by web, marketing, and product teams to manage content and customer experiences across sites and channels. AEM can be thought of as an Adobe-integrated WordPress. It often runs as both public “publish” nodes and internal “author” nodes, and integrates with many internal services.
As a consequence of this, the external nodes are very likely to be connected to internal services. This allows the SSRF vulnerability to act as a stepping stone for further exploitation.
About CVE-2025-54249
A very detailed report of the vulnerability can be found in the blog of Searchlight Cyber, which discovered and disclosed the vulnerability. CVE-2025-54249 is part of a whole batch of vulnerabilities discovered during the same pentest, all of which were patched by Adobe in the same patch sequence. The vulnerability works by first bypassing the primitive dispatcher that Adobe inserts in front of AEM to prevent publisher nodes from leaking internal information. After this dispatcher has been dealt with, requests can be forwarded to the vulnerable endpoint by smuggling them through the auth_uri parameter in the request body.
Trend analysis
The detailed nature of the researchers’ report and the ease with which the exploit can be deployed make it unsurprising that CrowdSec has observed significant activity targeting the vulnerability.
In our data, we observe a mix of opportunistic scanning and what we assume are targeted exploits. The vulnerability very naturally exposes itself to this kind of behavior. The SSRF can be used to ping an attacker-controlled web server to identify if a given deployment is vulnerable.
For exploitation, the attacker then has to do some internal exploration within the target’s network, as they have to figure out what other vulnerable services they can access.
In total, we have observed about 8 attacks per day for this vulnerability originating from around 70 distinct attacker IPs.
How to protect your systems
- Patch: Apply Adobe’s APSB25-90 update guidance. For AEM 6.5, install the GRANITE-61551 hotfix or move to the latest 6.5 LTS/CS release. Keep both the author and publication instances current.
- Stay Proactive: Deploy CrowdSec’s behavioral WAF to detect and stop CVE-2025-54249. A virtual-patching rule for this CVE was released on the 15th of October.
You can learn more about this vulnerability and the information we have gathered by checking out our CVE Explorer page.