CVE-2025-54246: 
Adobe Experience Manager vulnerability analysis and mitigation

CVE-2025-54246 is an Incorrect Authorization vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.23.0 and earlier, discovered by Dylan Pindur and Adam Kues from Assetnote. The vulnerability was disclosed on September 9, 2025, and could result in a security feature bypass (NVD, Adobe Security).

The vulnerability is classified as an Incorrect Authorization issue (CWE-863) with a CVSS v3.1 base score of 6.5 (Medium). The attack vector is network-based (AV:N), requires low attack complexity (AC:L), low privileges (PR:L), and no user interaction (UI:N). The scope is unchanged (S:U), with no impact on confidentiality (C:N), high impact on integrity (I:H), and no impact on availability (A:N) (NVD).

A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access to the system. This could potentially allow the attacker to modify content or settings they shouldn't have access to (NVD, CIS Advisory).

Adobe has released security updates to address this vulnerability. Organizations are advised to update to the latest version of Adobe Experience Manager. The vulnerability affects both AEM Cloud Service (CS) 6.5 LTS SP1 and earlier versions, as well as AEM Cloud Service (CS) 6.5.23 and earlier versions (CIS Advisory).