CVE-2025-64545 is a DOM-based Cross-Site Scripting vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. This vulnerability arises due to improper handling of untrusted data in the client-side scripts, allowing an attacker to inject malicious JavaScript that executes within the victim's browser context. The attack vector requires the victim to interact with a crafted URL or manipulated web page, making user interaction necessary for exploitation. The attacker needs low privileges, which means that even non-administrative users can potentially craft attacks targeting other users of the system. The vulnerability impacts confidentiality and integrity by enabling theft of session tokens, user credentials, or manipulation of displayed content, potentially leading to further attacks such as privilege escalation or phishing. The CVSS v3.1 base score of 5.4 reflects a medium severity, with attack vector being network (remote), low attack complexity, requiring privileges but with user interaction, and scope changed due to impact on other components. No patches are currently linked, and no exploits are known in the wild, indicating that this vulnerability is newly disclosed. Adobe Experience Manager is widely used by enterprises for web content management and digital experience delivery, making this vulnerability relevant for organizations relying on AEM for their web presence and customer engagement platforms.

For European organizations, the impact of this vulnerability can be significant, especially for those using Adobe Experience Manager to manage public-facing websites or internal portals. Successful exploitation could lead to theft of sensitive user information, session hijacking, and unauthorized actions performed on behalf of legitimate users. This can result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data leakage), and potential financial losses. Since AEM is often integrated with other enterprise systems, a successful XSS attack could serve as a pivot point for more extensive attacks within the network. The requirement for user interaction somewhat limits the attack scope but does not eliminate risk, especially in environments with high user traffic or where social engineering can be leveraged. The confidentiality and integrity of user data are primarily at risk, while availability is not directly impacted. Given the widespread use of AEM in sectors such as government, finance, and retail across Europe, the threat is relevant and should be addressed promptly.

European organizations should implement a multi-layered mitigation approach: 1) Monitor Adobe’s official channels for patches and apply updates to Adobe Experience Manager as soon as they become available. 2) In the absence of patches, implement strict input validation and sanitization on all user-supplied data processed by client-side scripts to prevent malicious script injection. 3) Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 4) Educate users about the risks of interacting with suspicious URLs or links, especially those received via email or untrusted sources. 5) Conduct regular security assessments and penetration testing focused on client-side vulnerabilities in AEM deployments. 6) Use web application firewalls (WAFs) with rules tailored to detect and block XSS attack patterns targeting AEM. 7) Review and harden AEM configurations to minimize exposure of vulnerable components and reduce attack surface. 8) Implement robust logging and monitoring to detect anomalous activities that may indicate exploitation attempts.