CVE-2025-64578 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. Stored XSS occurs when an attacker manages to inject malicious scripts into a web application's persistent storage, such as form fields, which are then served to other users without proper sanitization or encoding. In this case, a low-privileged attacker can submit malicious JavaScript code into vulnerable form fields within AEM. When other users browse pages containing these fields, the malicious script executes in their browsers under the context of the vulnerable site. This can lead to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the victim. The vulnerability requires the attacker to have some level of privilege to submit data and relies on user interaction to trigger the malicious script execution. The CVSS 3.1 base score is 5.4, indicating medium severity, with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, meaning network attack vector, low attack complexity, low privileges required, user interaction required, scope changed, and limited confidentiality and integrity impacts but no availability impact. No public exploits or active exploitation have been reported yet. Adobe has not yet published patches or mitigations at the time of this report, so organizations must rely on interim controls. The vulnerability is classified under CWE-79, a common and well-understood web application security issue. Given AEM's widespread use in enterprise content management and digital experience platforms, exploitation could impact many users and systems if left unaddressed.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Adobe Experience Manager to deliver web content and digital services. Successful exploitation could allow attackers to steal session cookies, impersonate users, or perform unauthorized actions within the context of the affected application, potentially leading to data breaches or defacement of public-facing websites. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR violations if personal data is exposed), and disrupt business operations. Since AEM is often used by government agencies, financial institutions, and large enterprises in Europe, the risk extends to critical infrastructure and sensitive information. The medium severity rating reflects that while the attack requires some privileges and user interaction, the scope includes confidentiality and integrity impacts, which are critical for trust and security in digital services. The absence of known exploits currently provides a window for proactive mitigation, but the potential for future exploitation remains high if unpatched.

European organizations should implement the following specific mitigations: 1) Immediately review and restrict user privileges to the minimum necessary, especially for users who can submit data to AEM forms. 2) Apply strict input validation and sanitization on all form fields to prevent injection of malicious scripts. 3) Implement robust output encoding/escaping on all user-supplied content rendered in web pages to neutralize any injected scripts. 4) Monitor web application logs for unusual or suspicious input patterns indicative of attempted XSS attacks. 5) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 6) Where possible, isolate AEM instances and limit access to trusted users and networks. 7) Stay alert for Adobe’s official patches or updates addressing this vulnerability and apply them promptly once available. 8) Conduct security awareness training for administrators and developers on secure coding and XSS risks. 9) Use web application firewalls (WAFs) configured to detect and block XSS payloads targeting AEM. These measures combined will reduce the attack surface and mitigate exploitation risk until a patch is released.