CVE-2025-64601 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting Adobe Experience Manager (AEM) versions 6.5.23 and earlier. Stored XSS occurs when malicious scripts injected by an attacker are permanently stored on the target server, typically within form fields or user input areas, and subsequently executed in the browsers of users who access the affected content. In this case, a low-privileged attacker can exploit vulnerable form fields in AEM to inject JavaScript code that executes when other users visit the compromised pages. The vulnerability allows attackers to bypass certain security controls because the malicious payload is served from a trusted domain, increasing the likelihood of successful exploitation. The CVSS 3.1 base score of 5.4 indicates a medium severity level, with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N meaning the attack can be performed remotely over the network with low attack complexity, requires low privileges and user interaction, and impacts confidentiality and integrity with a scope change (affecting resources beyond the vulnerable component). No public exploits are known at this time, but the vulnerability's presence in a widely used enterprise content management system makes it a significant concern. Adobe Experience Manager is commonly used by enterprises and government agencies to manage digital content and customer experiences, making it a valuable target for attackers seeking to steal credentials, hijack sessions, or manipulate displayed content. The vulnerability's exploitation could lead to unauthorized access to sensitive information or facilitate further attacks such as phishing or privilege escalation.

For European organizations, the impact of CVE-2025-64601 can be substantial due to the widespread use of Adobe Experience Manager in sectors such as government, finance, healthcare, and media. Exploitation could lead to the theft of session cookies, enabling attackers to impersonate legitimate users and access sensitive data. It could also allow attackers to manipulate website content, potentially damaging brand reputation or misleading users. The confidentiality and integrity of data are primarily at risk, while availability is not directly impacted. Given the medium CVSS score, the threat is moderate but could be escalated if combined with other vulnerabilities or social engineering attacks. Organizations relying on AEM for customer-facing portals or internal collaboration platforms may face increased risk of data breaches or compliance violations under GDPR if personal data is exposed. The need for user interaction and low privileges means that attackers could leverage social engineering or compromised accounts to exploit the vulnerability, increasing the attack surface. Additionally, the scope change indicates that the vulnerability could affect components beyond the immediate vulnerable module, potentially impacting integrated systems or services.

To mitigate CVE-2025-64601, European organizations should first apply any available patches or updates from Adobe as soon as they are released, even though no patch links are currently provided. In the interim, implement strict input validation and sanitization on all form fields to prevent malicious script injection. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Limit user privileges to the minimum necessary, reducing the ability of low-privileged users to inject malicious content. Conduct regular security audits and penetration testing focused on XSS vulnerabilities within AEM deployments. Monitor web server and application logs for unusual input patterns or script injections. Educate users about the risks of interacting with suspicious content and encourage reporting of anomalies. Consider using web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting AEM. Finally, segment the network and isolate critical systems to limit the impact of any successful exploitation.