Adobe Experience Manager (AEM) is one of the most popular content and digital asset management systems used by enterprises. It’s likely that the home pages of some of the biggest brands you know and love are using AEM under the hood. In this presentation, we will discuss AEM’s internals, its architecture, request routing mechanisms, and internal tooling to assist with security research.

As a part of our research into AEM’s internals, we reported several high and critical risk pre-authentication vulnerabilities to Adobe affecting AEM’s core code, both on-premise and cloud, which we will publicly release in this presentation. AEM’s exposure on the external internet is vast, with over 45,000 sites currently using the technology.