DocumentationAEM 6.5User Guide

Mitigating Remote Code Execution Vulnerability for AEM Forms on JEE (CVE-2025-49533)

Last update: Thu Aug 14 2025 00:00:00 GMT+0000 (Coordinated Universal Time)
  • Applies to:
  • Experience Manager 6.5

CREATED FOR:

  • Admin

This document provides guidance on addressing a critical security concern (CVE-2025-49533) in AEM Forms on JEE that could potentially allow unauthorized code execution.

Release History

Release Date
Included Fixes
Notes
2025-08-05
Latest security enhancements released to address the Remote Code Execution Vulnerability (CVE-2025-49533) in AEM Forms on JEE.
Apply the updated fix as described in Mitigating XXE, Configuration, and Remote Code Execution (CVE-2025-49533) Vulnerabilities for AEM Forms on JEE to ensure all relevant vulnerabilities are addressed. If you have already installed the earlier fixes for the Remote Code Execution vulnerability, you do not need to uninstall them before applying the latest comprehensive fix described in the aforementioned article.
2025-07-08
Earlier fixes released to mitigate the Remote Code Execution Vulnerability (CVE-2025-49533) for AEM Forms on JEE.
The instructions provided in the earlier fixes section (see collapsible section below) address initial aspects of the Remote Code Execution vulnerability. The latest patch builds upon these previous fixes and includes additional security enhancements to address further potential exploits that were identified after the initial remediation. It is recommended to follow the instructions in Mitigating XXE, Configuration, and Remote Code Execution (CVE-2025-49533) Vulnerabilities for AEM Forms on JEE to ensure comprehensive protection.

Need help?
If you encounter any issues, contact Adobe Experience Manager Forms Support.

Initial fixes to mitigate a Remote Code Execution Vulnerability for AEM Forms on JEE

Release Date: 2025-07-08

The fix is applicable only to Adobe Experience Manager 6.5 Forms on JEE standalone deployments. Standalone deployments are AEM Forms installations without AEM author or publish EAR installed.

Resolution

table 0-row-2 1-row-2 2-row-2
AEM Forms Version Required Action
AEM 6.5 Forms on JEE Service Pack 18 - Service Pack 23 for standalone AEM Forms on JEE deployments Apply hotfix
AEM 6.5 Forms on JEE Service Pack 17 and earlier Upgrade to a supported Service Pack version, then apply the recommended mitigation steps for your new version

Note: AEM Forms officially supports only the six most recent service packs. Users on older versions should first upgrade to the latest service pack and then implement the required security measures.

Apply the hotfix

  1. Download the hotfix:

    • Access Adobe Software Distribution to download the hotfix.
    • Save the hotfix file to your local machine.
    • Verify the integrity of the downloaded file.

  2. Install the hotfix:

    • Open AEM Workbench.
    • Connect to the affected AEM Forms server.
    • Navigate to Window → Show View → Components.
    • Right-click in the Components view and select “Install Component”.
    • Browse and select the hotfix file.
    • Follow the installation wizard prompts and wait for completion.

  3. Wait and validate:

    • Wait for all services to fully initialize.
recommendation-more-help
19ffd973-7af2-44d0-84b5-d547b0dffee2