CVE-2025-64599 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. Stored XSS vulnerabilities occur when an attacker is able to inject malicious scripts into a web application’s persistent storage, such as form fields, which are then served to other users. In this case, a low-privileged attacker can exploit vulnerable form fields within AEM to insert malicious JavaScript code. When other users access the affected pages containing these fields, the injected script executes in their browsers. This can lead to unauthorized actions such as session hijacking, credential theft, or performing actions on behalf of the victim user, thereby compromising confidentiality and integrity of user data. The vulnerability requires the attacker to have some level of access (low privilege) and relies on user interaction (visiting the compromised page) to trigger the exploit. The CVSS 3.1 base score is 5.4, indicating a medium severity level, with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This means the attack is network exploitable with low attack complexity, requires low privileges, user interaction, and impacts confidentiality and integrity with a scope change. No known exploits are currently reported in the wild, and no patches were linked at the time of publication, suggesting organizations should monitor for updates. The vulnerability is classified under CWE-79, a common and well-understood web application security issue. Given AEM’s widespread use in enterprise content management, this vulnerability poses a risk to organizations relying on it for web content delivery.

For European organizations, the impact of CVE-2025-64599 can be significant, particularly for those using Adobe Experience Manager to manage public-facing websites or intranet portals. Exploitation can lead to theft of session cookies or credentials, enabling attackers to impersonate users or escalate privileges. This can result in unauthorized access to sensitive corporate data or disruption of business processes. Additionally, successful XSS attacks can damage organizational reputation and lead to regulatory compliance issues under GDPR if personal data is compromised. The medium severity score reflects that while the vulnerability does not allow direct system takeover or denial of service, the confidentiality and integrity of user sessions and data are at risk. The requirement for user interaction and low privilege reduces the likelihood of mass exploitation but does not eliminate targeted attacks. Organizations with large user bases or high-value targets are particularly vulnerable to phishing or social engineering campaigns leveraging this XSS flaw.

1. Monitor Adobe’s official security advisories and apply patches or updates for Adobe Experience Manager as soon as they become available. 2. Implement strict input validation on all form fields to sanitize and reject malicious scripts before storage. 3. Employ robust output encoding/escaping techniques to ensure that any user-supplied data rendered in web pages cannot execute as code. 4. Deploy Content Security Policy (CSP) headers to restrict the execution of untrusted scripts and reduce the impact of XSS attacks. 5. Conduct regular security testing, including automated scanning and manual penetration testing, focusing on web application input vectors. 6. Educate users and administrators about the risks of XSS and encourage vigilance against suspicious links or content. 7. Consider implementing web application firewalls (WAF) with rules designed to detect and block XSS payloads targeting AEM. 8. Review and limit user privileges to reduce the potential for low-privileged attackers to inject malicious content. 9. Audit existing content for injected scripts and remove any suspicious or unauthorized code. 10. Ensure logging and monitoring are in place to detect anomalous activities related to web form submissions and user sessions.