CVE-2025-64604 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. Stored XSS occurs when malicious input is saved by the application and later rendered in users' browsers without proper sanitization or encoding. In this case, a low-privileged attacker can inject malicious JavaScript code into vulnerable form fields within AEM. When other users access pages containing these fields, the injected script executes in their browser context, potentially stealing session tokens, performing actions on behalf of the user, or delivering further malware. The vulnerability has a CVSS 3.1 base score of 5.4, indicating medium severity. The vector is network-based (AV:N), with low attack complexity (AC:L), requiring privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component. The impact affects confidentiality and integrity partially (C:L/I:L) but does not affect availability (A:N). No patches are currently linked, and no known exploits have been reported in the wild, but the vulnerability is publicly disclosed and should be addressed promptly. The vulnerability stems from insufficient input validation and output encoding in form fields, allowing script injection that persists in the system. Attackers exploiting this vulnerability could compromise user sessions, deface content, or redirect users to malicious sites. Given AEM's widespread use in enterprise content management and digital experience delivery, this vulnerability poses a significant risk to organizations relying on it for web presence and internal portals.

For European organizations, the impact of CVE-2025-64604 can be significant, especially for those using Adobe Experience Manager to manage public-facing websites or internal portals. Successful exploitation can lead to theft of user credentials, session hijacking, unauthorized actions performed on behalf of users, and potential spread of malware. This can result in data breaches, reputational damage, regulatory non-compliance (e.g., GDPR violations), and operational disruptions. The confidentiality and integrity of user data and organizational content are at risk. Since the vulnerability requires user interaction, phishing or social engineering campaigns may be used to lure victims to vulnerable pages. Organizations in sectors such as finance, government, healthcare, and e-commerce, which heavily rely on AEM for digital services, are particularly vulnerable. The medium severity rating indicates that while the vulnerability is not critical, it still demands timely remediation to prevent exploitation and minimize risk exposure.

To mitigate CVE-2025-64604, European organizations should: 1) Monitor Adobe's official channels for patches or updates addressing this vulnerability and apply them promptly once available. 2) Implement strict input validation on all form fields to reject or sanitize potentially malicious scripts before storage. 3) Employ robust output encoding (e.g., HTML entity encoding) when rendering user-supplied content to prevent script execution. 4) Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 5) Conduct regular security assessments and code reviews focusing on input handling and output rendering in AEM implementations. 6) Educate users and administrators about phishing risks and safe browsing practices to reduce the likelihood of user interaction with malicious content. 7) Utilize web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting AEM. 8) Segment and restrict access to AEM administrative interfaces to minimize the attack surface. These measures, combined with timely patching, will significantly reduce the risk posed by this vulnerability.