CVE-2025-64562 is a DOM-based Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. DOM-based XSS occurs when client-side scripts write untrusted data to the Document Object Model (DOM) without proper sanitization, enabling attackers to inject malicious scripts that execute in the victim’s browser context. This vulnerability can be exploited by an attacker with low privileges who crafts a malicious URL or manipulates a web page that a victim must interact with, such as clicking a link or visiting a specially crafted page. Upon successful exploitation, the attacker can execute arbitrary JavaScript in the victim’s browser, potentially stealing session tokens, cookies, or other sensitive information, and performing actions on behalf of the user. The CVSS 3.1 base score of 5.4 reflects a medium severity, with attack vector being network-based (remote), low attack complexity, requiring low privileges but user interaction, and impacting confidentiality and integrity with no effect on availability. The vulnerability affects the confidentiality and integrity of user data but does not directly compromise the server or availability of the service. No patches or exploit code are currently publicly available, and no known exploits in the wild have been reported. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS. Given the widespread use of Adobe Experience Manager in enterprise and government web content management, this vulnerability poses a significant risk if left unmitigated.

For European organizations, the exploitation of this DOM-based XSS vulnerability could lead to unauthorized disclosure of sensitive information such as session cookies, authentication tokens, or personal data processed through Adobe Experience Manager portals. This can facilitate session hijacking, unauthorized actions on behalf of users, and potentially lead to further attacks like phishing or malware delivery. Organizations in sectors such as government, finance, healthcare, and media that rely on AEM for public-facing websites or intranet portals are particularly at risk. The impact is primarily on confidentiality and integrity of user data rather than availability, but the reputational damage and regulatory consequences under GDPR for data breaches could be significant. Since exploitation requires user interaction, social engineering could be used to increase success rates. The vulnerability could also be leveraged as a stepping stone for more sophisticated attacks targeting European digital infrastructure where AEM is widely deployed.

1. Apply patches or updates from Adobe as soon as they become available for Adobe Experience Manager 6.5.23 and earlier versions. 2. Implement strict input validation and output encoding on all user-supplied data that is reflected in the DOM to prevent injection of malicious scripts. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of untrusted scripts and reduce the impact of XSS attacks. 4. Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted web content. 5. Use web application firewalls (WAFs) configured to detect and block XSS attack patterns targeting AEM endpoints. 6. Regularly audit and review custom AEM components and client-side scripts for unsafe DOM manipulations. 7. Monitor logs and user activity for signs of suspicious behavior that could indicate exploitation attempts. 8. Consider implementing multi-factor authentication (MFA) to reduce the impact of stolen session tokens.