CVE-2025-64602 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM), specifically affecting versions 6.5.23 and earlier. Stored XSS occurs when malicious scripts are permanently injected into a target application’s data store, such as form fields, and later rendered in users’ browsers. In this case, a low-privileged attacker can exploit vulnerable form fields within AEM to insert malicious JavaScript code. When a victim accesses a page containing the compromised field, the injected script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability requires the attacker to have some level of access to submit data (low privilege) and relies on user interaction (visiting the affected page). The CVSS 3.1 base score is 5.4, indicating a medium severity level, with attack vector as network, low attack complexity, requiring privileges, and user interaction. The impact affects confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a risk to organizations using AEM for managing web content and digital experiences, especially those exposing forms to external users. The lack of available patches at the time of reporting necessitates immediate mitigation through input validation and security controls.

For European organizations, this vulnerability can lead to unauthorized script execution in users’ browsers, potentially compromising sensitive data such as authentication tokens, personal information, or internal session data. This can result in account takeover, data leakage, or unauthorized actions performed under the victim’s identity. Organizations relying on Adobe Experience Manager for public-facing websites or intranet portals are particularly vulnerable, as attackers can exploit user interactions to propagate malicious scripts. The impact is heightened in sectors handling sensitive or regulated data, such as finance, healthcare, and government, where data confidentiality and integrity are critical. Additionally, reputational damage and regulatory penalties under GDPR could arise if personal data is compromised. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability details are public. The medium severity rating suggests moderate urgency but should not be deprioritized given the widespread use of AEM in Europe.

1. Monitor Adobe’s official channels for patches addressing CVE-2025-64602 and apply them promptly once available. 2. Implement strict input validation and sanitization on all form fields within Adobe Experience Manager to prevent injection of malicious scripts. Use allowlists for acceptable input characters and lengths. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of any injected code. 4. Conduct regular security audits and penetration testing focused on web application vulnerabilities, including XSS, especially on public-facing forms. 5. Educate content managers and developers on secure coding practices and the risks of XSS vulnerabilities. 6. Use web application firewalls (WAF) with rules tuned to detect and block XSS payloads targeting AEM. 7. Limit privileges for users who can submit data to the minimum necessary to reduce attack surface. 8. Monitor logs and user activity for unusual behavior that may indicate exploitation attempts. 9. Consider isolating critical AEM components or sensitive user interactions behind additional authentication or verification layers.