CVE-2025-64603 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. The vulnerability arises because certain form fields in AEM do not properly sanitize user-supplied input, allowing an attacker with low privileges to inject malicious JavaScript code that is stored persistently on the server. When other users access the affected pages containing these vulnerable form fields, the malicious script executes in their browsers within the security context of the AEM application. This can lead to session hijacking, unauthorized actions performed on behalf of the user, or theft of sensitive information. The vulnerability has a CVSS 3.1 base score of 5.4, indicating medium severity, with an attack vector of network (remote), low attack complexity, requiring low privileges but user interaction, and impacting confidentiality and integrity but not availability. No public exploits are currently known, but the vulnerability's presence in a widely used enterprise content management system makes it a significant concern. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. Adobe has not yet released a patch at the time of this report, so organizations must rely on interim mitigations.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Adobe Experience Manager to manage critical web content, including government portals, media outlets, and large enterprises. Successful exploitation can lead to theft of user credentials, session tokens, or other sensitive data, enabling further compromise of user accounts and internal systems. It can also facilitate phishing attacks or unauthorized actions performed with the privileges of authenticated users. While availability is not directly affected, the confidentiality and integrity of user data and interactions are at risk. Given the widespread use of Adobe products in Europe, particularly in countries with strong digital government initiatives and media presence, this vulnerability could be leveraged to target high-value users or disrupt trust in public-facing web services.

Organizations should prioritize the following mitigations: 1) Monitor Adobe’s security advisories closely and apply official patches immediately upon release. 2) Implement strict input validation and output encoding on all form fields within AEM to prevent script injection. 3) Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4) Conduct regular security audits and penetration testing focused on XSS vulnerabilities in web applications. 5) Educate users and administrators about the risks of XSS and encourage cautious behavior when interacting with web content. 6) Use web application firewalls (WAFs) configured to detect and block common XSS attack patterns as a temporary protective measure. 7) Limit the privileges of users who can submit content to minimize the attack surface. These steps, combined, reduce the risk until a patch is available and applied.