Adobe Patches Vulnerabilities in AEM Forms After Public Exploit Disclosure
Adobe has released emergency updates to fix two zero-day vulnerabilities in Adobe Experience Manager (AEM) Forms on JEE, following the POC release of a working exploit chain that enables unauthenticated RCE. The flaws, tracked as CVE-2025-54253 and CVE-2025-54254, were discovered by researchers at Searchlight Cyber, who initially disclosed them to Adobe in April 2025. One of the flaws stems from a misconfiguration in the AEM admin interface, where development mode in Apache Struts2 was mistakenly left enabled. This allowed attackers to bypass authentication and execute malicious commands through crafted HTTP requests. The second flaw involves an XML External Entity (XXE) vulnerability in a SOAP-based authentication service, which can be abused to read arbitrary files on the server without user interaction. Despite the critical severity of these issues, Adobe did not patch them until after the researchers publicly documented their findings. Combined, the issues form an exploit chain that can fully compromise vulnerable AEM servers exposed to the internet. In response, Adobe has now issued hotfixes to address these vulnerabilities, urging all administrators to apply updates immediately. For those unable to patch right away, researchers strongly recommend isolating the platform from public internet access to prevent exploitation. These flaws highlight the ongoing risk of exposed development configurations and insecure processing of unvalidated input in enterprise platforms. Given the public availability of the technical exploit, the risk of real-world attacks is high, and rapid remediation is critical.
Trend Micro warns of active exploitation targeting Apex One RCE flaw
Trend Micro has issued an urgent warning to customers regarding a critical RCE vulnerability in its Apex One endpoint security platform, which is currently being exploited in the wild. Tracked as CVE-2025-54948 and CVE-2025-54987 (depending on the CPU architecture), the flaw stems from a command injection issue within the Apex One Management Console used in on-premise deployments. This vulnerability allows unauthenticated attackers to remotely execute arbitrary code on affected systems without needing login credentials. The threat is particularly severe for organizations with exposed management consoles, as exploitation could result in a full system compromise. Trend Micro has observed at least one real-world attempt to exploit the flaw and has released a temporary mitigation tool while it works on a permanent fix. The mitigation disables the Remote Install Agent function, which is typically used by administrators to deploy endpoint agents from the console, but is necessary to block active exploitation attempts. While this may temporarily disrupt remote management capabilities, the company emphasizes the importance of applying the workaround immediately to reduce exposure. Trend Micro plans to release full patches by mid-August 2025, which will also restore the disabled functionality. Until then, administrators are advised to restrict external access to the Apex One Management Console and implement source IP filtering to limit potential attack surfaces. The Japanese CERT has also issued a national advisory, urging swift mitigation, which signals the broader risk this vulnerability poses to enterprise environments. Given the active exploitation and potential for remote code execution without authentication, organizations running Apex One should treat this as a high-priority threat that requires an immediate response.
Update: Bumblebee malware resurfaces through SEO poisoning to deploy ransomware via trojanized IT tools
Threat actors have revived the Bumblebee malware in a targeted campaign, utilizing SEO poisoning to manipulate Bing search results and lure IT administrators into downloading trojanized software. Victims searching for legitimate network management tools, including ManageEngine OpManager, were redirected to a spoofed domain (opmanager[.]pro), which hosted a tampered MSI installer. This file appeared genuine but silently deployed the Bumblebee malware loader while installing the actual software, increasing the likelihood of administrator trust and reducing detection. Bumblebee was embedded inside msimg32[.]dll and executed using consent[.]exe, which then established command-and-control communication using a domain generation algorithm (DGA). The loader quickly initiated follow-on actions, including payload retrieval, with some infections escalating to full ransomware deployment, specifically involving Akira Ransomware Variant. The attack chain concluded with the deployment of Akira ransomware, encrypting both local and network resources in under two days in observed cases. Analysts recommend monitoring for suspicious MSI executions from user paths, abuse of legitimate tools, including consent.exe, and fast-moving privilege escalation patterns to detect similar threats early. Behavioral detection tuned to correlate installer activity with reconnaissance and credential access within tight timeframes is critical for stopping Bumblebee before ransomware is dropped.