CVE-2025-64564 is a DOM-based Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. DOM-based XSS occurs when client-side scripts write untrusted data to the Document Object Model (DOM) without proper sanitization, enabling attackers to inject malicious scripts that execute in the victim’s browser context. This vulnerability can be exploited by a low-privileged attacker who crafts a malicious URL or web page that, when visited or interacted with by a user, triggers the execution of arbitrary JavaScript code. The attack vector requires user interaction (such as clicking a link), but no elevated privileges are necessary. The vulnerability affects confidentiality and integrity by potentially allowing theft of session tokens, user credentials, or manipulation of displayed content, but it does not impact system availability. The CVSS 3.1 base score is 5.4, reflecting medium severity with network attack vector, low attack complexity, low privileges required, and user interaction needed. The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable module. No known exploits have been reported in the wild, and Adobe has not yet released patches. Given AEM’s widespread use in enterprise content management and digital experience platforms, this vulnerability poses a risk to organizations relying on AEM for web content delivery and management.

For European organizations, the impact of CVE-2025-64564 can be significant, especially for those using Adobe Experience Manager to manage public-facing websites or intranet portals. Successful exploitation could lead to unauthorized disclosure of sensitive information such as session cookies, personal data, or internal content, undermining user trust and potentially violating GDPR requirements. Integrity of displayed content could be compromised, enabling phishing or social engineering attacks targeting employees or customers. While availability is not directly affected, reputational damage and compliance penalties could be severe. Organizations in sectors such as finance, government, healthcare, and critical infrastructure that rely heavily on AEM for digital engagement are particularly vulnerable. The requirement for user interaction means that social engineering or phishing campaigns could be used to increase exploitation likelihood. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities post-disclosure.

1. Implement strict input validation and output encoding on all user-controllable inputs within AEM to prevent injection of malicious scripts into the DOM. 2. Employ Content Security Policy (CSP) headers to restrict the execution of untrusted scripts and reduce the impact of XSS attacks. 3. Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted content to reduce the likelihood of successful exploitation. 4. Monitor web server and application logs for unusual or suspicious requests that may indicate attempted exploitation. 5. Isolate critical AEM instances behind web application firewalls (WAFs) configured to detect and block XSS attack patterns. 6. Regularly review and update third-party components and custom code integrated with AEM to ensure they do not introduce additional XSS vectors. 7. Prepare for rapid deployment of official Adobe patches once released by maintaining an up-to-date inventory of affected AEM versions and testing patch compatibility in staging environments. 8. Consider implementing multi-factor authentication (MFA) for AEM administrative access to reduce risk from compromised credentials resulting from XSS attacks.