CVE-2025-64597 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM), a widely used enterprise content management system. The flaw exists in versions 6.5.23 and earlier, where insufficient input sanitization in certain form fields allows a low-privileged attacker to inject malicious JavaScript code. When a victim user accesses a page containing the injected payload, the malicious script executes in their browser context. This can lead to unauthorized actions such as session hijacking, credential theft, or unauthorized modification of displayed content, impacting confidentiality and integrity. The vulnerability requires the attacker to have some level of access to submit data (low privilege) and relies on user interaction to trigger the payload execution. The CVSS 3.1 base score is 5.4, reflecting medium severity with network attack vector, low attack complexity, privileges required, user interaction needed, and a scope change. No public exploits have been reported yet, but the vulnerability's presence in a critical digital experience platform makes it a significant concern. Adobe has not yet released patches, but organizations should prepare to apply updates promptly. The vulnerability is classified under CWE-79, a common web application security weakness related to improper neutralization of input leading to XSS.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on Adobe Experience Manager for public-facing websites, intranets, or customer portals. Exploitation could allow attackers to steal session cookies, impersonate users, or perform unauthorized actions within the context of the victim’s session, potentially leading to data leakage or unauthorized access to sensitive information. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR breaches), and cause operational disruptions. Since AEM is often used by large enterprises and government entities in Europe, the risk extends to critical infrastructure and public services. The medium severity score suggests moderate risk, but the scope of impact depends on the extent of AEM deployment and the sensitivity of data handled. The requirement for user interaction and low privileges reduces the ease of exploitation but does not eliminate risk, especially in environments with many users or high-value targets.

1. Monitor Adobe’s official security advisories closely and apply patches or updates as soon as they are released for AEM versions 6.5.23 and earlier. 2. Implement strict input validation and output encoding on all user-controllable fields within AEM to prevent injection of malicious scripts. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4. Conduct regular security audits and penetration testing focusing on web application vulnerabilities, including XSS. 5. Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted content. 6. Consider implementing web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting AEM. 7. Limit privileges of users who can submit content to the minimum necessary to reduce the attack surface. 8. Review and harden AEM configurations to disable unnecessary features or input fields that could be exploited.