Adobe Experience Manager (AEM) Groovy Console

critical Web App Scanning Plugin ID 115068

Language:

Synopsis

Description

The remote Adobe Experience Manager (AEM) expose a Groovy console that allows users to execute arbitrary Groovy scripts on the server. This can lead to remote code execution and complete compromise of the AEM instance and the underlying server.

Solution

Restrict access to the endpoint using a .htaccess file, limiting access to known IP Addresses

Plugin Details

Severity: Critical

ID: 115068

Type: remote

Family: Web Applications

Published: 12/4/2025

Updated: 12/4/2025

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 16

OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A5

WASC: Application Misconfiguration

OWASP API: 2019-API7, 2023-API8

Detections

Analytics

Adobe Experience Manager (AEM) Groovy Console

critical Web App Scanning Plugin ID 115068

Synopsis

Description

Solution

Plugin Details

Risk Information

VPR

CVSS v2

CVSS v3

CVSS v4

Reference Information