CVE-2025-64543 is a DOM-based Cross-Site Scripting vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. DOM-based XSS occurs when client-side scripts write untrusted data to the Document Object Model (DOM) without proper sanitization, enabling attackers to inject malicious scripts that execute in the victim's browser context. In this case, a low-privileged attacker can craft malicious URLs or web pages that, when visited or interacted with by a user, trigger the execution of arbitrary JavaScript code. This can lead to theft of session tokens, user impersonation, or manipulation of web content. The vulnerability requires user interaction (e.g., clicking a link), and the attacker must have at least low privileges, which may be typical for authenticated users or external attackers targeting public-facing AEM instances. The CVSS 3.1 base score of 5.4 reflects a medium severity, with attack vector being network, low attack complexity, low privileges required, and user interaction necessary. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component, potentially impacting confidentiality and integrity but not availability. No patches or exploits are currently publicly available, but the vulnerability is officially published and should be addressed promptly. Adobe Experience Manager is widely used by enterprises for managing digital content and customer experiences, making this vulnerability a concern for organizations relying on AEM for web content delivery and digital marketing.

For European organizations, exploitation of this DOM-based XSS vulnerability could lead to unauthorized access to sensitive information such as session cookies, personal data, or internal application data, compromising confidentiality and integrity. Attackers could impersonate legitimate users, perform actions on their behalf, or inject malicious content that damages brand reputation or leads to phishing attacks. While availability is not directly impacted, the indirect consequences of data breaches or defacement could disrupt business operations. Organizations in sectors like finance, government, healthcare, and e-commerce that use Adobe Experience Manager for public-facing websites or intranets are particularly at risk. Given the requirement for user interaction, social engineering campaigns could be used to increase exploitation likelihood. The medium severity rating suggests moderate risk, but the widespread use of AEM in Europe and the potential for chained attacks elevates the threat level. Failure to address this vulnerability could result in regulatory penalties under GDPR if personal data is compromised.

1. Apply patches or updates from Adobe as soon as they become available to remediate the vulnerability. 2. Implement strict input validation and output encoding on all user-controllable inputs within AEM to prevent injection of malicious scripts into the DOM. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 4. Disable or limit client-side scripting features that are not essential for business functionality. 5. Monitor web traffic and logs for unusual URL patterns or suspicious user interactions that may indicate exploitation attempts. 6. Educate users and administrators about the risks of clicking on untrusted links and recognizing phishing attempts. 7. Conduct regular security assessments and penetration testing focused on client-side vulnerabilities in AEM deployments. 8. Use web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting AEM. 9. Segment and restrict access to AEM administrative interfaces to reduce attacker privilege escalation opportunities. 10. Maintain an incident response plan to quickly address any detected exploitation.