CVE-2025-64619 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. This vulnerability arises from insufficient sanitization of user input in certain form fields, allowing an attacker with low privileges to inject malicious JavaScript code that is stored on the server and later executed in the browsers of users who access the affected pages. The attack vector is network-based, requiring the attacker to submit crafted input via vulnerable forms. The vulnerability has a CVSS v3.1 base score of 5.4, indicating medium severity. The vector string (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) shows that the attack can be performed remotely over the network with low privileges, requires user interaction (victim must visit the malicious page), and affects confidentiality and integrity with a scope change. The vulnerability does not impact availability. No patches were listed at the time of publication, and no known exploits have been reported in the wild. Stored XSS in AEM can lead to session hijacking, credential theft, or unauthorized actions performed in the context of the victim’s session, potentially compromising sensitive data or administrative functions. Given AEM’s widespread use in enterprise content management and digital experience delivery, this vulnerability poses a significant risk to organizations relying on this platform for web content and customer engagement.

For European organizations, the impact of CVE-2025-64619 can be substantial, particularly for those using Adobe Experience Manager to manage public-facing websites or intranet portals. Exploitation could allow attackers to execute arbitrary JavaScript in the context of users’ browsers, leading to theft of session cookies, user credentials, or other sensitive information. This could facilitate further attacks such as account takeover or unauthorized access to internal systems. The vulnerability’s scope change means that the attacker’s influence can extend beyond their initial privileges, potentially affecting other users and systems. Organizations in sectors such as finance, government, healthcare, and e-commerce, which often use AEM for digital services, could face reputational damage, regulatory penalties under GDPR for data breaches, and operational disruptions. The requirement for user interaction and low privilege reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks against high-value users or administrators.

1. Monitor Adobe’s security advisories closely and apply official patches or updates as soon as they become available for Adobe Experience Manager versions 6.5.23 and earlier. 2. Implement strict input validation and output encoding on all user-supplied data in form fields to prevent injection of malicious scripts. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4. Conduct regular security assessments and penetration testing focused on web application vulnerabilities, including stored XSS. 5. Educate users and administrators about the risks of clicking on suspicious links or submitting untrusted data. 6. Use web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting AEM. 7. Review and harden user privilege assignments to minimize the number of users who can submit content that is rendered without sanitization. 8. Monitor logs and alerts for unusual activity that may indicate attempted exploitation.