Adobe Experience Manager Expression Language injection via cloudsettings
Description
Adobe Experience Manager (AEM) is an enterprise content management platform for building websites, mobile applications, and digital forms.
This vulnerability allows unauthenticated attackers to inject malicious Expression Language (EL) code through the DAM (Digital Asset Management) cloud settings bulk import configuration endpoint. Expression Language injection occurs when user-controlled input is evaluated as EL code, enabling attackers to execute arbitrary Java methods and access internal application objects.
Remediation
1. Immediately apply the latest Adobe Experience Manager security hotfixes as documented in security bulletin APSB25-90, available at https://helpx.adobe.com/security/products/experience-manager/apsb25-90.html<br/><br/>2. Verify your AEM version and apply the appropriate hotfix package for your installation (AEM 6.5.x or AEM as a Cloud Service).<br/><br/>3. As a temporary mitigation until patching is complete, restrict network access to the AEM author instance using firewall rules or access control lists, limiting exposure to trusted IP addresses only.<br/><br/>4. Review AEM access logs for suspicious activity targeting the /libs/dam/cloud/settings or bulk import endpoints, looking for unusual parameter values or unexpected EL syntax patterns.<br/><br/>5. After applying patches, verify the fix by testing that user input in cloud settings configuration is properly sanitized and not evaluated as executable code.<br/><br/>6. Implement defense-in-depth measures including Web Application Firewall (WAF) rules to detect and block EL injection attempts, and ensure AEM runs with minimal required Java permissions.