CVE-2025-64539 is a DOM-based Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting Adobe Experience Manager (AEM) versions 6.5.23 and earlier. This vulnerability arises from improper handling of untrusted data in the client-side DOM environment, allowing attackers to inject malicious JavaScript code into web pages served by AEM. When a victim user visits a maliciously crafted page or link, the injected script executes within their browser context, enabling the attacker to hijack user sessions, steal sensitive information, or perform actions on behalf of the user. The vulnerability does not require any privileges or authentication to exploit but does require user interaction, specifically visiting a malicious URL. The CVSS v3.1 base score of 9.3 indicates a critical severity, with attack vector being network-based (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and high impact on confidentiality (C:H) and integrity (I:H), but no impact on availability (A:N). Adobe Experience Manager is widely used by enterprises for managing digital content and customer experiences, making this vulnerability particularly dangerous as it can lead to session hijacking and unauthorized actions within affected web applications. No patches or exploit code are currently publicly available, but the vulnerability is published and should be considered urgent for remediation.

The impact of CVE-2025-64539 is significant for organizations using Adobe Experience Manager, particularly those managing sensitive customer data or critical business processes through their web portals. Successful exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users, access confidential information, and manipulate data or application behavior. This compromises both confidentiality and integrity of the affected systems. Although availability is not directly impacted, the loss of trust and potential data breaches can have severe reputational and financial consequences. Enterprises relying on AEM for digital marketing, e-commerce, or customer engagement platforms are at risk of targeted attacks, especially if users are tricked into visiting malicious links. The requirement for user interaction limits automated exploitation but does not reduce the threat in phishing or social engineering scenarios. The vulnerability could also be leveraged as a foothold for further attacks within an organization's network.

Organizations should immediately assess their Adobe Experience Manager deployments to identify affected versions (6.5.23 and earlier). Since no patch links are provided yet, temporary mitigations include implementing strict Content Security Policy (CSP) headers to restrict script execution, sanitizing and validating all user inputs and URL parameters on the client side, and employing web application firewalls (WAFs) with rules designed to detect and block DOM-based XSS payloads. Additionally, educating users to avoid clicking on suspicious links can reduce the risk of exploitation. Monitoring web traffic and logs for unusual script injections or user behavior indicative of session hijacking attempts is recommended. Once Adobe releases an official patch, organizations should prioritize timely deployment. Regular security assessments and penetration testing focused on client-side vulnerabilities will help detect similar issues proactively.