CVE-2025-64576 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. The vulnerability arises from insufficient sanitization of user input in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is stored on the server and subsequently executed in the browsers of users who access the affected pages. This type of stored XSS can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The vulnerability requires the attacker to have some level of access to submit data (low privilege) and requires user interaction (victim must visit the compromised page). The CVSS 3.1 base score of 5.4 reflects a medium severity, with attack vector being network-based, low attack complexity, requiring privileges, and user interaction. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the initially vulnerable component. No public exploits have been reported yet, but the presence of this vulnerability in a widely used enterprise content management system makes it a notable risk. Adobe has not yet released a patch or mitigation guidance at the time of this report, increasing the urgency for organizations to implement compensating controls.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Adobe Experience Manager to manage and deliver web content. Exploitation could lead to unauthorized disclosure of sensitive information such as session cookies, personal data, or internal content, violating GDPR and other data protection regulations. Integrity of web content can be compromised, potentially damaging brand reputation and trust. Attackers could also use the vulnerability as a foothold to conduct further attacks within the network. Given the widespread use of AEM in government, finance, healthcare, and large enterprises across Europe, the potential for targeted attacks is high. The medium severity rating suggests that while the vulnerability is not critical, it still poses a tangible risk that could disrupt business operations and lead to regulatory penalties if exploited.

European organizations should immediately audit their Adobe Experience Manager deployments to identify affected versions (6.5.23 and earlier). In the absence of an official patch, organizations should implement strict input validation and output encoding on all user-supplied data in AEM forms to prevent script injection. Restrict user privileges to the minimum necessary to reduce the risk of malicious input submission. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Monitor web logs and application behavior for unusual activities indicative of XSS exploitation attempts. Consider isolating or segmenting AEM instances to limit the scope of potential compromise. Engage with Adobe support for updates and apply patches promptly once available. Additionally, conduct user awareness training to recognize suspicious web behavior and report anomalies.