CVE-2025-64572 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM), specifically affecting versions 6.5.23 and earlier. Stored XSS vulnerabilities occur when malicious input is saved by the application and later rendered in users' browsers without proper sanitization or encoding. In this case, a low-privileged attacker can inject malicious JavaScript code into vulnerable form fields within AEM. When other users access pages containing these fields, the injected script executes in their browsers under the context of the vulnerable site. This can lead to theft of session tokens, user impersonation, or unauthorized actions performed on behalf of the victim. The vulnerability requires user interaction, as the victim must visit the compromised page to trigger the script execution. The CVSS 3.1 base score of 5.4 reflects a medium severity, considering the attack vector is network-based, the attack complexity is low, privileges required are low, but user interaction is necessary. The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable module, potentially impacting other parts of the application. No known exploits have been reported in the wild at the time of publication, but the vulnerability poses a credible risk given the widespread use of AEM in enterprise web content management. The absence of patch links suggests that Adobe may not have released a fix yet or that the information is not included in this dataset. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation, a common and well-understood web security issue.

For European organizations, the impact of CVE-2025-64572 can be significant, especially for those relying on Adobe Experience Manager for critical web content delivery and digital services. Exploitation can lead to unauthorized disclosure of sensitive information such as session cookies or personal data, enabling further attacks like account takeover or privilege escalation. The integrity of web content can be compromised, potentially damaging organizational reputation and trust. Although availability is not directly affected, the indirect consequences of successful XSS attacks include phishing, malware distribution, and lateral movement within the network. Given the medium severity, the risk is moderate but should not be underestimated in environments with high-value targets or sensitive data. The requirement for user interaction means that social engineering or phishing campaigns could be used to lure victims to maliciously crafted pages. European data protection regulations such as GDPR impose strict requirements on protecting personal data, and exploitation of this vulnerability could lead to compliance violations and financial penalties.

European organizations should implement a multi-layered mitigation approach. First, monitor Adobe's official channels for patches or security advisories and apply updates promptly once available. In the interim, implement strict input validation and output encoding on all form fields within AEM to prevent injection of malicious scripts. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of any injected code. Conduct regular security audits and penetration testing focused on web application security to identify and remediate similar vulnerabilities proactively. Educate users about the risks of clicking on suspicious links or interacting with untrusted content to reduce the likelihood of successful exploitation. Employ web application firewalls (WAFs) with rules tailored to detect and block XSS attack patterns targeting AEM. Finally, review and harden user privilege assignments within AEM to minimize the ability of low-privileged users to inject malicious content.