CVE-2025-64549 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. Stored XSS occurs when malicious scripts are permanently stored on a target server, typically within form fields or content management inputs, and then served to users without proper sanitization. In this case, a low-privileged attacker can inject arbitrary JavaScript code into vulnerable form fields within AEM. When other users browse pages containing these fields, the malicious script executes in their browsers under the context of the vulnerable domain. This can lead to session hijacking, credential theft, unauthorized actions on behalf of users, or defacement of web content. The vulnerability requires some level of user interaction (browsing the affected page) and low privileges for exploitation, but no high-level authentication is necessary. The CVSS 3.1 base score of 5.4 reflects a medium severity, with attack vector being network-based, low attack complexity, requiring privileges, and user interaction. The impact affects confidentiality and integrity but not availability. No public exploits or active exploitation have been reported to date. The vulnerability is classified under CWE-79, a common and well-understood web application security weakness. Adobe has not yet released a patch at the time of this report, so organizations must rely on interim mitigations.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Adobe Experience Manager for managing digital content, websites, and customer interactions. Exploitation could allow attackers to steal session cookies or authentication tokens, enabling unauthorized access to sensitive information or administrative functions. This could lead to data breaches, reputational damage, and regulatory non-compliance under GDPR due to exposure of personal data. Additionally, attackers could manipulate website content, causing misinformation or defacement that undermines trust. Since AEM is widely used by enterprises, government agencies, and media companies across Europe, the scope of affected systems is broad. The requirement for low privileges and user interaction lowers the barrier for exploitation, increasing risk. However, the absence of known exploits in the wild and medium severity score suggest that immediate critical damage is unlikely but should not be ignored.

European organizations should implement the following specific mitigations: 1) Immediately audit all AEM instances for vulnerable versions (6.5.23 and earlier) and plan for prompt upgrades once Adobe releases patches. 2) Apply strict input validation and sanitization on all form fields and user inputs within AEM to prevent injection of malicious scripts. 3) Employ output encoding techniques to ensure that any user-supplied content is safely rendered in browsers. 4) Use Content Security Policy (CSP) headers to restrict execution of unauthorized scripts and reduce XSS impact. 5) Monitor web logs and user activity for unusual behavior indicative of XSS exploitation attempts. 6) Educate users and administrators about the risks of clicking on suspicious links or content within AEM-managed sites. 7) Consider temporary disabling or restricting vulnerable form fields if patching is delayed. 8) Regularly review and update web application firewall (WAF) rules to detect and block XSS payloads targeting AEM. These measures, combined with timely patching, will reduce the attack surface and mitigate exploitation risks.