CVE-2025-64802 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. This vulnerability arises from insufficient sanitization of user-supplied input in certain form fields, allowing an attacker with low privileges to inject malicious JavaScript code that is stored on the server and later executed in the browsers of users who access the affected pages. The attack vector is network-based, requiring the attacker to submit crafted input through vulnerable forms. The attack complexity is low, but it requires some privileges (PR:L) and user interaction (UI:R) since the victim must visit the compromised page. The vulnerability impacts confidentiality and integrity by enabling theft of session cookies, credentials, or manipulation of displayed content, but does not affect availability. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. The CVSS v3.1 base score is 5.4, indicating medium severity. No public exploits or patches are currently available, but the vulnerability is published and reserved as of late 2025. Adobe Experience Manager is widely used in enterprise content management and digital experience platforms, making this vulnerability significant for organizations relying on AEM for web content delivery. Attackers exploiting this vulnerability could conduct phishing, session hijacking, or defacement attacks, impacting user trust and data security.

For European organizations, the impact of CVE-2025-64802 can be significant, especially for those using Adobe Experience Manager to manage public-facing websites or internal portals. Exploitation could lead to theft of sensitive user information such as session tokens or credentials, enabling further unauthorized access or lateral movement within networks. The integrity of web content could be compromised, leading to misinformation or brand damage. Although availability is not directly affected, the reputational damage and potential regulatory consequences under GDPR for data breaches involving personal data could be severe. Organizations in sectors such as finance, government, healthcare, and e-commerce that rely heavily on AEM for digital engagement are at higher risk. The medium severity score reflects that while the vulnerability is not critical, it still poses a meaningful threat that could be leveraged in targeted attacks or combined with other vulnerabilities for greater impact.

To mitigate CVE-2025-64802, organizations should implement the following specific measures: 1) Apply input validation and output encoding on all user-supplied data in form fields to prevent malicious script injection. 2) Restrict privileges for users who can submit data to vulnerable forms to the minimum necessary. 3) Monitor and audit web application logs for suspicious input patterns or anomalous user behavior. 4) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5) Use web application firewalls (WAFs) with rules targeting XSS attack signatures to block exploit attempts. 6) Stay alert for Adobe’s official patches or security advisories and apply updates promptly once available. 7) Educate developers and administrators on secure coding practices and the risks of stored XSS. 8) Consider isolating or disabling vulnerable form functionalities temporarily if patching is delayed. These steps go beyond generic advice by focusing on practical controls tailored to the nature of stored XSS in AEM environments.