CVE-2025-64623 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. This vulnerability arises from insufficient sanitization of user input in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is stored on the server and later executed in the browsers of users who access the affected pages. The attack vector is network-based, with low complexity, but requires the attacker to have some level of privileges (PR:L) and user interaction (UI:R) since the victim must visit the compromised page. The vulnerability impacts confidentiality and integrity by enabling attackers to steal session cookies, perform actions on behalf of users, or manipulate displayed content, although it does not affect availability. The scope is changed (S:C) because the vulnerability can affect resources beyond the attacker’s privileges once exploited. The CVSS 3.1 base score is 5.4, categorizing it as medium severity. No public exploits are known yet, but the vulnerability poses a risk to organizations relying on AEM for web content management, especially those with multiple users accessing the system. Adobe has not yet released patches, so mitigation relies on compensating controls such as input validation and privilege restrictions.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive information, such as session tokens or personal data, through malicious script execution in users’ browsers. Attackers could hijack user sessions, impersonate users, or manipulate content, potentially damaging organizational reputation and violating data protection regulations like GDPR. Since AEM is widely used by enterprises and public sector entities in Europe for managing digital content and websites, exploitation could disrupt business operations and erode user trust. The medium severity score indicates moderate risk, but the potential for chained attacks or further exploitation elevates concern. Organizations with public-facing AEM instances or those allowing user-generated content are particularly vulnerable. The lack of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once patches are released or details become widely known.

1. Monitor Adobe’s official channels for the release of security patches for AEM and apply them promptly once available. 2. Implement strict input validation and output encoding on all form fields to prevent injection of malicious scripts. 3. Restrict user privileges to the minimum necessary, especially for users who can submit content to vulnerable forms. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5. Conduct regular security audits and penetration testing focused on web application vulnerabilities, including XSS. 6. Educate users and administrators about the risks of XSS and encourage cautious behavior when interacting with web content. 7. Use web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting AEM. 8. Isolate critical AEM instances and restrict access to trusted networks where possible to reduce exposure.