CVE-2025-64549 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. The vulnerability arises from insufficient sanitization of user-supplied input in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is stored on the server and later executed in the browsers of users who access the affected pages. This type of vulnerability falls under CWE-79 and can be exploited when a victim visits a page containing the malicious payload, leading to script execution in their browser context. The CVSS v3.1 base score is 5.4, indicating a medium severity level, with attack vector being network (remote), low attack complexity, requiring privileges (PR:L), and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact affects confidentiality and integrity but not availability, as malicious scripts could steal session cookies, perform actions on behalf of the user, or manipulate displayed content. No patches or exploit code are currently publicly available, and no known exploits in the wild have been reported. However, given AEM's widespread use in enterprise content management and digital experience platforms, this vulnerability poses a significant risk if left unaddressed. Attackers with low privileges, such as authenticated users with limited access, could leverage this to escalate privileges or conduct targeted attacks against other users, including administrators. The vulnerability emphasizes the need for robust input validation, output encoding, and timely patching in web applications handling user-generated content.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Adobe Experience Manager for managing websites, intranets, and digital services. Successful exploitation could lead to theft of sensitive session tokens, enabling attackers to impersonate users or administrators, potentially leading to unauthorized access to confidential information. It can also allow attackers to manipulate web content, deface pages, or conduct phishing attacks by injecting malicious scripts. This undermines user trust and can cause reputational damage. Given the medium severity and requirement for user interaction and privileges, the risk is moderate but increases in environments where many users have access to vulnerable forms or where sensitive data is handled. The vulnerability could disrupt business operations by compromising the integrity of digital content and user sessions. In regulated sectors such as finance, healthcare, or government, exploitation could lead to compliance violations under GDPR or other data protection laws, resulting in legal and financial penalties.

European organizations should implement the following specific mitigations: 1) Immediately audit and restrict access to vulnerable form fields to only trusted and necessary users to reduce the attack surface. 2) Implement strict input validation and output encoding on all user-supplied data in AEM forms to prevent injection of malicious scripts. 3) Monitor and review content submissions for suspicious or unexpected scripts or HTML tags. 4) Apply any available security patches or updates from Adobe as soon as they are released. 5) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 6) Educate users and administrators about the risks of XSS and encourage cautious behavior when interacting with web content. 7) Use web application firewalls (WAFs) configured to detect and block common XSS payloads targeting AEM. 8) Regularly conduct security assessments and penetration testing focused on web application vulnerabilities. These measures go beyond generic advice by focusing on access control, monitoring, and layered defenses specific to the AEM environment.