CVE-2025-64560 is a DOM-based Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. This vulnerability arises from improper handling of user-controllable input within the Document Object Model (DOM) of affected web pages, allowing an attacker to inject and execute arbitrary JavaScript code in the context of a victim's browser. The attack vector requires a low-privileged attacker to craft a malicious URL or manipulate web page content that, when visited or interacted with by a user, triggers the execution of the injected script. The vulnerability impacts confidentiality and integrity by potentially enabling theft of sensitive information such as session tokens, cookies, or other data accessible via the browser, and may allow actions on behalf of the user. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector (AV:N), low attack complexity (AC:L), low privileges required (PR:L), and user interaction required (UI:R). The scope is changed (S:C), indicating the vulnerability affects resources beyond the initially vulnerable component. No known exploits have been reported in the wild, and Adobe has not yet published patches or mitigation details. The vulnerability is categorized under CWE-79, which covers Cross-Site Scripting issues. Given the widespread use of AEM in enterprise content management, this vulnerability poses a risk to organizations relying on affected versions for web content delivery and management.

For European organizations, the impact of CVE-2025-64560 can be significant in environments where Adobe Experience Manager is used to manage public-facing or internal web portals. Successful exploitation could lead to unauthorized disclosure of sensitive information, session hijacking, and potential impersonation of legitimate users, undermining trust and potentially leading to data breaches. Although the vulnerability does not directly affect system availability, the compromise of user sessions or data integrity can disrupt business operations and damage reputation. Organizations in sectors such as finance, government, healthcare, and media, which often use AEM for critical web content, may face increased risk. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in phishing or social engineering scenarios. The absence of known exploits suggests a window for proactive mitigation, but the medium severity score indicates that organizations should not delay remediation. Additionally, the changed scope implies that the vulnerability could affect multiple components or services integrated with AEM, broadening potential impact.

To mitigate CVE-2025-64560, European organizations should immediately assess their Adobe Experience Manager deployments to identify affected versions (6.5.23 and earlier). Although no official patches are currently available, organizations should monitor Adobe's security advisories closely for updates and apply patches promptly once released. In the interim, implement strict input validation and sanitization on all user-controllable inputs within AEM-managed web pages to prevent injection of malicious scripts. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Enhance user awareness training to recognize and avoid suspicious links or web content that could trigger exploitation. Employ web application firewalls (WAFs) with rules tailored to detect and block XSS attack patterns targeting AEM. Conduct regular security testing, including penetration testing and code reviews, focusing on DOM-based XSS vectors. Finally, monitor logs and user activity for anomalies that may indicate attempted exploitation, enabling rapid incident response.