CVE-2025-64597 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager (AEM) versions 6.5.23 and earlier. Stored XSS occurs when malicious input is saved by the application and later rendered in users' browsers without proper sanitization. In this case, a low-privileged attacker can inject malicious JavaScript code into vulnerable form fields within AEM. When legitimate users access pages containing the injected script, the malicious code executes in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability requires the attacker to have some level of access to submit data (privileged user) and relies on user interaction to trigger the script execution. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, low privileges required, user interaction needed, and a scope change that affects confidentiality and integrity but not availability. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. Adobe Experience Manager is widely used by enterprises for managing digital content and customer experiences, making this vulnerability significant for organizations relying on AEM for web presence and customer engagement.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of web applications managed via Adobe Experience Manager. Attackers exploiting this flaw could steal session cookies, enabling account takeover, or manipulate displayed content to conduct phishing or fraud. This could lead to data breaches, reputational damage, and regulatory compliance issues under GDPR if personal data is compromised. The impact is particularly critical for organizations with customer-facing portals, intranets, or internal applications hosted on AEM. Since the vulnerability requires some privileges and user interaction, the risk is mitigated somewhat but remains significant in environments with many users or where attackers can gain low-level access. The scope change in the CVSS vector suggests that the vulnerability could affect resources beyond the initially vulnerable component, increasing potential damage. Given the widespread use of AEM in sectors such as finance, government, and retail across Europe, the threat could disrupt critical services or expose sensitive information.

European organizations should immediately review their Adobe Experience Manager deployments and verify the version in use. Since no official patches are currently linked, organizations should implement the following mitigations: 1) Apply strict input validation and sanitization on all form fields to prevent malicious script injection. 2) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3) Limit privileges of users who can submit data to AEM forms to reduce the attack surface. 4) Monitor web application logs for suspicious input patterns or anomalous user behavior indicative of exploitation attempts. 5) Educate users about the risks of clicking on untrusted links or interacting with suspicious content. 6) Prepare to apply official Adobe patches or updates as soon as they become available. 7) Consider deploying web application firewalls (WAFs) with rules targeting XSS payloads specific to AEM. These targeted mitigations go beyond generic advice by focusing on the specific attack vector and environment.