CVE-2025-64598 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. This vulnerability allows a low-privileged attacker to inject malicious JavaScript code into vulnerable form fields within the AEM interface. When a victim user accesses a page containing the injected script, the malicious code executes in their browser context. The vulnerability arises due to insufficient input sanitization and output encoding of user-supplied data in form fields, enabling persistent script injection. The attack vector is network-based, requiring the attacker to submit crafted input through the web interface, and user interaction is necessary for exploitation since the victim must visit the compromised page. The CVSS v3.1 base score of 5.4 reflects a medium severity, considering the attack complexity is low, privileges required are low, but user interaction is necessary. The vulnerability impacts confidentiality and integrity by potentially allowing session hijacking, credential theft, or unauthorized actions performed in the victim’s browser session. Availability is not affected. Adobe has not yet released patches at the time of this report, and no known exploits have been observed in the wild. However, given the widespread use of AEM in enterprise web content management, this vulnerability poses a significant risk if left unaddressed.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive information, including session cookies and personal data, through malicious script execution in users’ browsers. Attackers could manipulate web content or perform actions on behalf of authenticated users, undermining trust and potentially causing reputational damage. Public-facing AEM portals used by government agencies, financial institutions, and large enterprises are particularly at risk, as they often handle sensitive data and have a broad user base. The medium severity score indicates a moderate risk, but the impact can escalate if combined with social engineering or phishing to increase user interaction. Additionally, compromised systems could serve as a foothold for further attacks within the network. The lack of current exploits in the wild provides a window for mitigation, but the risk remains significant due to the popularity of Adobe Experience Manager in Europe.

1. Monitor Adobe’s official channels for patches addressing CVE-2025-64598 and apply them promptly once available. 2. Implement strict input validation on all form fields to reject or sanitize potentially malicious scripts before storage. 3. Employ robust output encoding techniques to ensure that user-supplied data is safely rendered in HTML contexts, preventing script execution. 4. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 5. Conduct regular security audits and penetration testing focused on web application vulnerabilities, including stored XSS. 6. Educate users and administrators about the risks of interacting with untrusted content and encourage cautious behavior when accessing web portals. 7. Utilize web application firewalls (WAFs) with updated rules to detect and block common XSS attack patterns targeting AEM. 8. Review and limit user privileges within AEM to minimize the ability of low-privileged users to inject malicious content. 9. Implement logging and monitoring to detect unusual activity indicative of exploitation attempts.