CVE-2025-64592 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. Stored XSS occurs when malicious input is saved on the server and later rendered in users' browsers without proper sanitization or encoding. In this case, a low privileged attacker can inject malicious JavaScript code into vulnerable form fields within AEM. When other users access the affected pages, the injected script executes in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of the user, or deface content. The vulnerability requires the attacker to have some level of access to submit data (low privileges) and relies on user interaction (browsing the affected page). The CVSS 3.1 vector indicates network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), user interaction required (UI:R), scope changed (S:C), and impacts on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). No known exploits have been reported in the wild, and no official patches were linked at the time of disclosure, though Adobe typically issues security updates for AEM. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. Given AEM's role as a widely used enterprise content management system, exploitation could affect many users and systems relying on AEM for web content delivery.

For European organizations, this vulnerability poses risks primarily to confidentiality and integrity of user sessions and data. Attackers exploiting this flaw could hijack user sessions, steal sensitive information, or manipulate web content, potentially damaging organizational reputation and user trust. Since AEM is widely used by enterprises and public sector entities across Europe for digital experience management, successful exploitation could disrupt critical web services or lead to data breaches. The impact is heightened in sectors with stringent data protection requirements such as finance, healthcare, and government. Although availability is not directly affected, the indirect consequences of data theft or defacement could lead to operational disruptions and regulatory penalties under GDPR. The requirement for user interaction and low privileges lowers the barrier for exploitation but limits automated mass exploitation. However, targeted attacks against high-value users or administrators remain a concern.

Organizations should immediately inventory their Adobe Experience Manager deployments to identify affected versions (6.5.23 and earlier). While official patches were not linked at disclosure, monitoring Adobe’s security advisories for updates is critical. In the interim, implement strict input validation and output encoding on all user-supplied data within AEM forms to prevent script injection. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce XSS impact. Employ web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting AEM. Educate users to recognize suspicious behavior and report anomalies. Regularly audit logs for unusual form submissions or script execution patterns. Limit privileges for users who can submit data to the minimum necessary. Finally, plan for rapid patch deployment once Adobe releases an official fix to close the vulnerability permanently.