CVE-2025-54249 MEDIUM

CVE-2025-54249: Adobe Experience Manager | Server-Side Request Forgery (SSRF) (CWE-918)

Vendor Adobe

Product Adobe Experience Manager

Weakness CWE-918 · SSRF

Published September 9, 2025

Last update September 9, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to manipulate server-side requests and bypass security controls allowing unauthorized read access.

Key dates

02Disclosure timeline

September 9, 2025 CVE published

September 9, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-54249 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

04Related CVE

CVE-2024-13857 WPGet API <= 2.2.10 - Authenticated (Administrator+) Server-Side Request Forgery CVE-2024-23500 WordPress Kadence Blocks plugin <= 3.2.19 - Server Side Request Forgery (SSRF) vulnerability CVE-2024-31461 Plane Server-Side Request Forgery (SSRF) Vulnerability CVE-2025-8529 cloudfavorites favorites-web CollectController.java getCollectLogoUrl server-side request forgery CVE-2026-33766 AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints