CVE-2025-64606 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. The vulnerability arises from insufficient input sanitization in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is stored on the server and later executed in the browsers of users who access the affected pages. This type of vulnerability falls under CWE-79 and can lead to the compromise of user session tokens, unauthorized actions on behalf of users, or defacement of web content. The attack vector is network-based, requiring the attacker to have low privileges to submit malicious input and for the victim to interact with the compromised page. The CVSS v3.1 base score is 5.4, indicating medium severity, with the vector string AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This means the attack can be performed remotely with low complexity, requires low privileges, user interaction, and impacts confidentiality and integrity with a scope change. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. Adobe Experience Manager is widely used by enterprises for managing digital content and customer experiences, making this vulnerability relevant for organizations relying on AEM for their web presence.

For European organizations, the impact of this vulnerability can be significant, especially for those using Adobe Experience Manager to manage public-facing websites or intranet portals. Exploitation could lead to theft of sensitive information such as authentication cookies or personal data, unauthorized actions performed in the context of legitimate users, and reputational damage due to defacement or malicious content injection. Confidentiality and integrity of user data are primarily at risk, while availability is not directly affected. Given the medium CVSS score and the requirement for user interaction, the threat is moderate but can be escalated if combined with social engineering or phishing campaigns. Organizations in sectors such as finance, government, healthcare, and e-commerce, which rely heavily on web applications for customer interaction, are particularly vulnerable. The vulnerability could also facilitate further attacks, such as session hijacking or spreading malware through injected scripts.

To mitigate CVE-2025-64606, organizations should: 1) Monitor Adobe’s security advisories closely and apply official patches or updates as soon as they become available. 2) Implement strict input validation and output encoding on all user-supplied data, especially in form fields, to prevent injection of malicious scripts. 3) Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 4) Conduct regular security assessments and penetration testing focused on web application vulnerabilities. 5) Educate users and administrators about the risks of XSS and encourage cautious behavior when interacting with web content. 6) Use web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting Adobe Experience Manager. 7) Review and minimize privileges required to submit content to reduce the attack surface. 8) Monitor logs and network traffic for unusual activity indicative of exploitation attempts.