Adobe Experience Manager Forms on JEE Struts DevMode OGNL RCE

Repository contains a single Python tool (aempwn.py) plus README and GPLv3 license. The tool is a multi-target network scanner aimed at Adobe Experience Manager (AEM) Forms endpoints for CVE-2025-54253 and CVE-2025-54254. It normalizes targets to HTTPS by default, then POSTs XML to a fixed list of likely AEM Forms submission endpoints. Capabilities include: (1) a safe behavior probe using a per-run canary token to detect XML reflection/unsafe parsing surface; (2) in-band XXE probes attempting to read local files (/etc/hostname, /etc/passwd, C:\\Windows\\win.ini) and AWS metadata via 169.254.169.254; (3) an OOB XXE mode that sends a parameter-entity payload referencing {oob_url}/evil.dtd (requires attacker-hosted DTD and monitoring); and (4) an RCE escalation mode that sends an external entity reference to an attacker-supplied LDAP/JNDI URL (e.g., ldap://host:1389/#Exploit), intended to trigger Java class loading/execution when combined with external LDAP/HTTP infrastructure (as described in README). Results are scored and printed; confirmed hits are appended to an output file (code default: aempwn-results.txt). The code uses threading for mass scanning and disables TLS verification.

This repository provides a simulated proof-of-concept (PoC) for CVE-2025-54253, an OGNL injection vulnerability in Adobe AEM. The structure includes a vulnerable Flask server (server/server/app.py) that mimics the behavior of a misconfigured AEM endpoint, a PoC script (poc/cve-2025-54253-poc.py) that sends OGNL payloads as system commands to the server, and supporting files such as logs and documentation. The exploit demonstrates remote command execution by sending crafted requests to the '/adminui/debug' endpoint with the 'debug' parameter containing an OGNL expression. The server executes the command and returns the output, simulating the impact of the vulnerability. The repository is strictly for educational and defensive research purposes, with clear warnings against use outside of isolated lab environments. No real-world exploitation code is provided for production systems. The main attack vector is network-based, targeting a web endpoint. Fingerprintable endpoints include the simulated HTTP URLs and the log file used for tracking payloads and responses.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-54253, a critical OGNL injection vulnerability in Adobe AEM Forms on JEE (versions <= 6.5.23.0). The vulnerability allows unauthenticated remote attackers to execute arbitrary operating system commands via the /adminui/debug endpoint by injecting OGNL expressions. The repository contains: - A Python PoC script (poc/cve-2025-54253-poc.py) that sends crafted GET requests to the vulnerable endpoint, executing commands such as 'whoami', 'id', 'uname -a', and 'ls -la'. - A simulated vulnerable Flask server (server/server/app.py) that mimics the behavior of the vulnerable endpoint for local testing and demonstration purposes. This server executes received commands if the 'debug' parameter starts with 'OGNL:'. - Logs (logs/exploit.log) showing example exploitation attempts and command execution. - Documentation (README.md) with technical details, exploitation steps, mitigation advice, and references. The main exploit capability is unauthenticated remote code execution via network-accessible HTTP requests to the /adminui/debug endpoint. The repository is structured for both demonstration and testing, with clear separation between the PoC, server simulation, and documentation. No fake or detection-only scripts are present; the code is a functional exploit PoC.