CVE-2025-64591 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. This vulnerability arises from insufficient input sanitization in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is stored on the server and later executed in the browsers of users who access the affected pages. The attack vector is network-based, requiring the attacker to submit crafted input through vulnerable forms. The vulnerability requires low privileges (PR:L) and user interaction (UI:R), meaning the victim must visit the compromised page for the malicious script to execute. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting the confidentiality and integrity of user data. The CVSS v3.1 base score is 5.4, reflecting a medium severity level. The impact includes potential theft of session cookies, user impersonation, defacement, or redirection to malicious sites. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The vulnerability is categorized under CWE-79, a common web application security issue related to improper neutralization of input during web page generation.

For European organizations, the impact of CVE-2025-64591 can be significant, especially for those relying on Adobe Experience Manager for managing public-facing websites or intranet portals. Exploitation could lead to unauthorized disclosure of sensitive user information, session hijacking, and manipulation of web content, undermining user trust and potentially causing reputational damage. In sectors such as finance, government, healthcare, and e-commerce, where AEM is often used, the confidentiality and integrity of user data are critical. The vulnerability could also be leveraged as a foothold for further attacks within the network if session tokens or credentials are compromised. Given the medium severity and the requirement for user interaction, the risk is moderate but should not be underestimated, particularly in environments with high user traffic or sensitive data processing.

1. Monitor Adobe’s official channels for patches or security updates addressing CVE-2025-64591 and apply them promptly once available. 2. Implement strict input validation and output encoding on all form fields within AEM to prevent injection of malicious scripts. Use server-side validation in addition to client-side checks. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 4. Conduct regular security audits and penetration testing focused on web application vulnerabilities, including XSS. 5. Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted content. 6. Use web application firewalls (WAFs) configured to detect and block common XSS attack patterns targeting AEM. 7. Limit privileges of users who can submit content to the system to reduce the attack surface. 8. Review and harden AEM configurations to disable unnecessary features or components that may increase exposure.