Pwning AEM Websites

Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. Top companies use AEM as a platform for building their web-applications. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking ( to automate security testing of AEM web-applications.

In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088 ( These vulnerabilities allow anonymous attackers to compromise AEM web-applications. In the talk, I will disclose details of new vulnerabilities and exploitation techniques. Additionally, I want to share a new remarkable technique to bypass misconfigured AEM dispatcher.

Location: Track 2 Date: April 23, 2020 Time: 10:30 am - 11:30 am Mikhail Egorov