CVE-2025-64537 is a DOM-based Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. The vulnerability arises from insufficient sanitization of user-controllable input that is processed and rendered in the Document Object Model (DOM) of web pages served by AEM. An attacker can craft a malicious URL or web page that injects executable JavaScript code into the victim's browser environment when the victim interacts with the malicious content. This injected script runs with the same privileges as the legitimate AEM web application, enabling the attacker to hijack user sessions, steal sensitive data, or manipulate the integrity of the web application. The vulnerability requires no privileges (no authentication) and has a low attack complexity, but it does require user interaction, i.e., the victim must visit the maliciously crafted page. The CVSS v3.1 base score is 9.3, reflecting critical severity with high confidentiality and integrity impacts, no impact on availability, and scope change due to potential session hijacking. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is classified under CWE-79, which covers Cross-Site Scripting issues. Given the critical nature of AEM in managing web content for many organizations, this vulnerability represents a significant security risk if left unmitigated.

The impact of CVE-2025-64537 is substantial for organizations using Adobe Experience Manager versions 6.5.23 and earlier. Successful exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users, including administrators, thereby compromising confidentiality and integrity of sensitive data and content management workflows. This could result in unauthorized access to confidential corporate information, defacement or manipulation of web content, and potential lateral movement within the affected organization's network. While availability is not directly impacted, the loss of trust and potential data breaches could have severe reputational and financial consequences. Enterprises relying on AEM for customer-facing websites or internal portals are at risk, especially if users are tricked into visiting malicious links. The lack of known exploits in the wild suggests a window of opportunity for defenders to patch or mitigate before active exploitation occurs.

Organizations should immediately assess their use of Adobe Experience Manager and identify instances running version 6.5.23 or earlier. Since no official patches are currently linked, mitigation should include: 1) Implementing strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of injected code. 2) Employing web application firewalls (WAFs) with rules designed to detect and block malicious payloads targeting DOM-based XSS patterns specific to AEM. 3) Educating users to avoid clicking on suspicious links and implementing email filtering to reduce phishing attempts that could deliver malicious URLs. 4) Reviewing and sanitizing all user inputs and URL parameters in custom AEM components to prevent injection vectors. 5) Monitoring logs for unusual activity indicative of XSS exploitation attempts. 6) Planning for an upgrade to a patched version of AEM once Adobe releases an official fix. 7) Conducting regular security assessments and penetration testing focused on client-side vulnerabilities in AEM deployments.