CVE-2025-64804 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM), specifically affecting versions 6.5.23 and earlier. The vulnerability arises from insufficient sanitization of user input in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is stored on the server and subsequently executed in the browsers of users who access the compromised content. This type of vulnerability falls under CWE-79, which concerns improper neutralization of input leading to script injection. The attack vector is network-based (AV:N), requiring low attack complexity (AC:L) and low privileges (PR:L), but user interaction is necessary (UI:R) for the malicious payload to execute. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component, potentially impacting users accessing the affected pages. The impact on confidentiality and integrity is low (C:L, I:L), with no impact on availability (A:N). Although no known exploits are currently reported in the wild, the vulnerability poses a risk of session hijacking, credential theft, or unauthorized actions performed in the context of the victim’s browser session. Adobe Experience Manager is widely used by enterprises and public sector organizations for managing digital content and web experiences, making this vulnerability relevant for organizations relying on AEM for their web infrastructure. The lack of available patches at the time of publication necessitates immediate mitigation efforts to reduce exposure.

For European organizations, the impact of CVE-2025-64804 can be significant, especially for those using Adobe Experience Manager to deliver web content and digital services. Exploitation could lead to unauthorized access to user sessions, theft of sensitive information such as authentication tokens or personal data, and potential defacement or manipulation of web content. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR violations due to data leakage), and disrupt business operations. Public sector entities and enterprises with customer-facing portals are particularly at risk, as attackers could leverage this vulnerability to target end users or internal staff. The medium CVSS score reflects that while the vulnerability is not critical, it still presents a tangible threat that could be exploited in targeted attacks or combined with other vulnerabilities for greater impact. The requirement for user interaction and low privileges lowers the barrier for exploitation, increasing the likelihood of successful attacks if unmitigated.

European organizations should implement the following specific mitigation measures: 1) Apply official Adobe patches or updates as soon as they become available to remediate the vulnerability directly. 2) In the interim, enforce strict input validation and sanitization on all form fields within AEM to prevent malicious script injection. 3) Implement robust output encoding on all user-supplied content rendered in web pages to neutralize potential XSS payloads. 4) Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of any injected code. 5) Limit user privileges, ensuring that only trusted users can submit content to vulnerable forms, thereby reducing the attack surface. 6) Monitor web application logs and user activity for signs of suspicious behavior or attempted exploitation. 7) Educate users and administrators about the risks of XSS and encourage cautious interaction with untrusted content. 8) Consider using web application firewalls (WAFs) with rules tailored to detect and block XSS attempts targeting AEM. 9) Prepare incident response plans to quickly address any exploitation attempts or breaches related to this vulnerability.