CVE-2025-54272 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 11.6 and earlier. This vulnerability arises from insufficient sanitization of user-supplied input in certain form fields, allowing an attacker with low privileges to inject malicious JavaScript code that is stored persistently on the server. When a victim user accesses the affected page containing the malicious payload, the injected script executes within their browser context. This can lead to theft of session cookies, unauthorized actions on behalf of the user, or redirection to malicious sites. The attack requires user interaction, specifically the victim must open a crafted link or visit a page containing the malicious input. The vulnerability changes the scope, meaning it can affect users beyond the initial attacker’s privileges. The CVSS 3.1 base score is 5.4, reflecting a medium severity with low attack complexity, network attack vector, requiring privileges and user interaction, and impacting confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a risk to organizations relying on AEM for web content management, especially those with externally accessible portals or intranets. Adobe has not yet published patches, so organizations must rely on interim mitigations.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive information such as session tokens or user data, enabling further attacks like session hijacking or privilege escalation. Integrity of web content and user interactions can be compromised, potentially damaging organizational reputation and trust. Since AEM is widely used by enterprises and government agencies in Europe for managing digital experiences, exploitation could affect critical services and customer-facing portals. The requirement for user interaction limits automated exploitation but targeted phishing or social engineering campaigns could increase risk. Confidentiality breaches could violate GDPR requirements, leading to regulatory penalties. The lack of availability impact means service disruption is unlikely, but data integrity and confidentiality risks remain significant.

Organizations should immediately audit their Adobe Experience Manager deployments for vulnerable versions (11.6 and earlier) and restrict access to sensitive form fields where possible. Implement strict input validation and output encoding on all user-supplied data to prevent script injection. Deploy Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. Monitor web application logs for suspicious input patterns indicative of XSS attempts. Educate users about the risks of clicking unknown or suspicious links to reduce successful exploitation via social engineering. Prepare to apply official Adobe patches promptly once released. Consider deploying Web Application Firewalls (WAF) with rules targeting XSS payloads as an interim protective measure. Regularly review and update security configurations in AEM to minimize attack surface.