CVE-2025-64794 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. The vulnerability arises from insufficient sanitization of user input in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is stored persistently on the server. When other users access the affected pages, the malicious script executes in their browsers within the security context of the vulnerable web application. This can lead to theft of session cookies, user impersonation, unauthorized actions, or content manipulation. The vulnerability requires the attacker to have some level of access to submit data (low privilege) and relies on user interaction to trigger the malicious script execution. The CVSS v3.1 base score is 5.4, indicating a medium severity level, with attack vector being network-based, low attack complexity, requiring privileges, and user interaction. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable module. No public exploits have been reported yet, but the risk remains significant due to the widespread use of AEM in enterprise environments. Adobe has not yet released patches but the vulnerability is publicly disclosed, urging organizations to prepare mitigations. The vulnerability is categorized under CWE-79, a common and well-understood class of web application security flaws.

For European organizations, the impact of this vulnerability can be considerable, especially for those relying on Adobe Experience Manager to deliver digital content and customer experiences. Successful exploitation can lead to unauthorized disclosure of sensitive information such as session tokens or personal data, undermining confidentiality. Integrity can be compromised by attackers injecting or altering content displayed to users, potentially damaging brand reputation and trust. Although availability is not directly impacted, the indirect effects of exploitation, such as phishing or malware delivery, can disrupt operations. Given the medium CVSS score and the requirement for user interaction, the threat is moderate but should not be underestimated. Organizations in sectors like finance, government, healthcare, and e-commerce, which often use AEM for public-facing portals, are particularly vulnerable. The risk is amplified by the potential for attackers to leverage this vulnerability as a foothold for further attacks within the network or to target high-value users.

To mitigate CVE-2025-64794, organizations should implement a multi-layered approach: 1) Monitor Adobe’s official channels for patches and apply them promptly once released. 2) Conduct thorough input validation and output encoding on all user-supplied data in AEM forms, ensuring that scripts or HTML tags are properly sanitized or escaped. 3) Deploy and enforce a strict Content Security Policy (CSP) to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 4) Review and restrict user privileges to minimize the ability of low-privileged users to submit malicious content. 5) Implement web application firewalls (WAFs) with rules designed to detect and block common XSS payloads targeting AEM. 6) Educate users and administrators about the risks of XSS and encourage vigilance when interacting with web content. 7) Regularly audit and test AEM instances for XSS and other injection flaws using automated scanners and manual penetration testing. These steps go beyond generic advice by focusing on the specific context of AEM and the nature of the vulnerability.