CVE-2025-64563 is a DOM-based Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. DOM-based XSS occurs when client-side scripts write untrusted data to the Document Object Model (DOM) without proper sanitization, allowing attackers to inject malicious JavaScript code that executes in the victim’s browser context. In this case, a low-privileged attacker can craft a malicious URL or manipulate a web page to exploit this vulnerability. The attack requires user interaction, such as clicking a malicious link or visiting a compromised page, to trigger the script execution. The vulnerability impacts confidentiality and integrity by potentially allowing theft of session tokens, user credentials, or manipulation of displayed content, but it does not affect system availability. The CVSS 3.1 base score is 5.4, reflecting medium severity, with vector metrics indicating network attack vector (AV:N), low attack complexity (AC:L), low privileges required (PR:L), user interaction required (UI:R), scope changed (S:C), and partial impact on confidentiality and integrity (C:L/I:L). No public exploits have been reported yet, but the vulnerability is published and should be addressed promptly. Adobe Experience Manager is widely used by enterprises for content management and digital experience delivery, making this vulnerability relevant for organizations relying on AEM for web content management and customer engagement platforms.

For European organizations, exploitation of this vulnerability could lead to unauthorized disclosure of sensitive information such as session cookies or personal data, enabling further attacks like session hijacking or phishing. Integrity of web content could be compromised, potentially damaging brand reputation and user trust. Since AEM is often used by government, financial, and large commercial entities in Europe, a successful attack could have significant operational and regulatory consequences, including GDPR violations due to data leakage. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments with high user traffic and external access. The vulnerability does not impact availability, so denial-of-service is not a concern here. However, the scope change in the CVSS vector indicates that the vulnerability could affect components beyond the initially targeted application context, increasing potential impact. Overall, the threat poses a moderate risk to confidentiality and integrity of European organizations’ web platforms and user data.

European organizations should immediately verify their Adobe Experience Manager versions and plan to upgrade to a patched version once available. In the absence of an official patch, organizations should implement strict input validation and sanitization on all user-controllable inputs that interact with the DOM. Deploying Content Security Policy (CSP) headers can help mitigate the impact by restricting the execution of unauthorized scripts. Web Application Firewalls (WAFs) should be configured to detect and block suspicious payloads targeting DOM-based XSS patterns. User awareness training is critical to reduce the risk of exploitation via social engineering, emphasizing caution when clicking unknown or suspicious links. Regular security assessments and penetration testing focused on client-side vulnerabilities should be conducted to identify similar issues. Monitoring web logs for unusual URL patterns or script injection attempts can provide early detection. Finally, organizations should maintain an incident response plan to quickly address any exploitation attempts.