CVE-2025-64564 is a DOM-based Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. The vulnerability arises from insufficient sanitization of user-controllable input within the client-side scripts of AEM, allowing an attacker to inject malicious JavaScript code that executes in the context of the victim's browser. This type of XSS is classified under CWE-79 and specifically affects the Document Object Model (DOM) processing, meaning the malicious payload is executed as the browser processes the manipulated DOM elements. The attack vector requires a low-privileged attacker to craft a malicious URL or web page that, when visited or interacted with by a victim, triggers the execution of the injected script. The CVSS v3.1 base score of 5.4 reflects a medium severity, with attack vector being network (remote), low attack complexity, requiring low privileges but user interaction, and impacting confidentiality and integrity with no effect on availability. The vulnerability's scope is changed (S:C), indicating that the exploit can affect resources beyond the initially vulnerable component, potentially impacting other parts of the application or user data. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. However, given AEM's widespread use in enterprise content management and web portal deployments, this vulnerability could be leveraged for session hijacking, theft of sensitive information, or further attacks such as privilege escalation or phishing campaigns.

For European organizations, the impact of CVE-2025-64564 can be significant, particularly for those relying on Adobe Experience Manager for managing public-facing websites, intranets, or customer portals. Successful exploitation could lead to the execution of arbitrary scripts in users' browsers, enabling attackers to steal session cookies, credentials, or other sensitive information, thereby compromising user confidentiality and integrity. This could result in unauthorized access to internal systems or data breaches. Although availability is not directly affected, the reputational damage and potential regulatory penalties under GDPR for data leakage could be substantial. Organizations in sectors such as finance, government, healthcare, and e-commerce, which often use AEM for digital content delivery, are at higher risk. Additionally, the requirement for user interaction means social engineering or phishing techniques could be used to increase the likelihood of successful exploitation. The medium severity rating suggests that while the vulnerability is not critical, it still warrants prompt attention to prevent exploitation in targeted attacks or broader campaigns.

1. Monitor Adobe's official security advisories and apply patches or updates for Adobe Experience Manager as soon as they become available, prioritizing upgrades beyond version 6.5.23. 2. Implement strict Content Security Policies (CSP) to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 3. Conduct thorough input validation and sanitization on all user-controllable inputs within AEM customizations and extensions to prevent injection of malicious code. 4. Employ web application firewalls (WAF) with rules tailored to detect and block DOM-based XSS attack patterns targeting AEM. 5. Educate end-users and administrators about the risks of interacting with suspicious URLs or links, emphasizing phishing awareness to reduce the chance of user interaction exploitation. 6. Regularly audit and review AEM configurations and custom scripts for security weaknesses, focusing on client-side code that manipulates the DOM. 7. Use browser security features such as HTTPOnly and Secure flags on cookies to mitigate session hijacking risks. 8. Consider implementing multi-factor authentication (MFA) for access to critical AEM administrative interfaces to limit attacker impact if credentials are compromised.