CVE-2025-64548 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. The vulnerability arises from insufficient sanitization of user input in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is stored persistently on the server. When other users, including administrators or content editors, access the affected pages, the injected script executes in their browsers within the security context of the vulnerable AEM instance. This can lead to theft of session cookies, unauthorized actions on behalf of the victim, or redirection to malicious sites. The vulnerability requires the attacker to have some level of access to submit data to the vulnerable forms, and victim users must interact with the compromised content for exploitation to occur. The CVSS 3.1 score of 5.4 reflects a medium severity, with network attack vector, low attack complexity, low privileges required, and user interaction necessary. The scope is changed, indicating that the vulnerability can affect resources beyond the initially vulnerable component. No public exploits have been reported yet, but the risk remains significant due to the widespread use of AEM in enterprise content management. The lack of available patches at the time of publication necessitates immediate mitigation efforts.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on Adobe Experience Manager for managing public-facing websites, intranets, or digital services. Exploitation could lead to unauthorized disclosure of sensitive information, such as session tokens or personal data, potentially violating GDPR requirements. Attackers could also perform actions on behalf of legitimate users, leading to data integrity issues or defacement of corporate websites, damaging reputation and trust. While availability is not directly impacted, the indirect consequences of successful attacks may include downtime due to incident response or remediation efforts. Organizations in sectors like finance, government, healthcare, and media, which often use AEM for content delivery, are particularly at risk. The medium severity rating suggests that while the vulnerability is not critical, it still poses a meaningful threat that could be leveraged as part of a broader attack chain.

1. Apply official Adobe patches or updates as soon as they become available for AEM versions 6.5.23 and earlier. 2. Implement strict input validation and output encoding on all user-supplied data in form fields to prevent script injection. 3. Restrict privileges of users who can submit data to vulnerable forms, minimizing the risk from low-privileged attackers. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5. Conduct regular security audits and penetration testing focused on web application vulnerabilities, including XSS. 6. Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 7. Educate content editors and administrators about the risks of XSS and safe content handling practices. 8. Consider deploying web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting AEM. 9. Isolate critical AEM instances from less trusted networks to reduce exposure. 10. Prepare incident response plans specific to web application attacks involving XSS.