CVE-2025-64609 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. Stored XSS occurs when malicious scripts are permanently stored on a target server, such as within form fields, and later executed in the browsers of users who access the affected content. In this case, a low-privileged attacker can inject JavaScript code into vulnerable form fields within AEM. When legitimate users browse pages containing these fields, the malicious script executes in their browsers, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or manipulate page content. The vulnerability has a CVSS 3.1 base score of 5.4, indicating medium severity. The vector indicates that the attack can be performed remotely over the network (AV:N), with low attack complexity (AC:L), requiring low privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality and integrity (C:L/I:L) but not availability (A:N). No public exploits or patches are currently known or available. This vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. Since AEM is widely used for managing digital content and customer experiences, exploitation could lead to significant data exposure or manipulation. The vulnerability requires user interaction, limiting automated exploitation but still posing a risk in targeted phishing or social engineering scenarios.

For European organizations, the impact of CVE-2025-64609 can be significant, especially for those relying on Adobe Experience Manager to deliver web content and digital services. Exploitation could lead to theft of sensitive user information such as session tokens, enabling account takeover or unauthorized actions within the affected web applications. This compromises confidentiality and integrity of user data and organizational content. Additionally, attackers could manipulate displayed content, damaging brand reputation or misleading users. Since AEM is often used by government agencies, financial institutions, and large enterprises in Europe, successful exploitation could disrupt critical services or lead to regulatory non-compliance under GDPR due to data leakage. The requirement for user interaction and low privileges means that phishing or social engineering could be used to trigger the attack, increasing the risk in environments with less security awareness. Although no known exploits exist yet, the public disclosure increases the risk of future attacks. Organizations with public-facing AEM instances are particularly vulnerable, as attackers can remotely target users browsing affected pages.

1. Implement strict input validation and sanitization on all form fields within Adobe Experience Manager to prevent injection of malicious scripts. 2. Apply output encoding (e.g., HTML entity encoding) on all user-supplied content before rendering it in web pages to neutralize potential scripts. 3. Restrict user privileges to the minimum necessary, limiting the ability of low-privileged users to inject content. 4. Monitor web application logs and user activity for unusual patterns that may indicate attempted exploitation. 5. Educate users and administrators about phishing and social engineering risks to reduce the likelihood of user interaction triggering the vulnerability. 6. Deploy Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 7. Regularly update Adobe Experience Manager to the latest versions once patches become available from Adobe. 8. Consider using web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting AEM. 9. Conduct security testing and code reviews focused on XSS vulnerabilities in custom AEM components or templates. 10. Isolate critical AEM instances from public internet access where feasible to reduce exposure.