CVE-2025-64820 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. Stored XSS occurs when malicious input is saved by the application and later rendered in a web page without proper sanitization or encoding, allowing arbitrary JavaScript execution in the context of the victim's browser. In this case, a low-privileged attacker can exploit vulnerable form fields to inject malicious scripts. When other users visit the affected pages, the injected scripts execute, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim’s privileges. The vulnerability requires the attacker to have some level of access to submit data (PR:L) and user interaction (UI:R) to trigger the malicious script execution. The CVSS v3.1 base score is 5.4, indicating a medium severity level, with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This means the attack can be performed remotely over the network with low attack complexity, requires low privileges, and user interaction, and impacts confidentiality and integrity with a changed scope. No public exploits are currently known, but the vulnerability is published and should be addressed promptly. Adobe Experience Manager is widely used by enterprises and government agencies for managing web content, making this vulnerability significant for organizations relying on it for digital presence and customer engagement. The absence of a patch link suggests that a fix may be pending or recently released, so monitoring Adobe advisories is critical.

For European organizations, this vulnerability poses risks primarily to confidentiality and integrity of user data and sessions. Attackers exploiting this flaw can steal session cookies, enabling account takeover or unauthorized access to sensitive information. They can also perform actions on behalf of users, potentially leading to data manipulation or defacement of web content. Since AEM is often used by large enterprises, public sector bodies, and digital service providers in Europe, exploitation could disrupt services, damage reputations, and lead to regulatory non-compliance under GDPR if personal data is compromised. The medium CVSS score reflects that while the impact is not catastrophic, the vulnerability can facilitate lateral movement or privilege escalation in a broader attack chain. The requirement for user interaction and low privileges means attackers might leverage social engineering or compromised accounts to exploit the vulnerability. Given the widespread use of Adobe Experience Manager in European digital infrastructure, the threat could affect sectors such as finance, government, healthcare, and media.

Organizations should immediately inventory their Adobe Experience Manager deployments to identify affected versions (6.5.23 and earlier). They should monitor Adobe security advisories for patches and apply them as soon as they become available. In the interim, implement strict input validation and output encoding on all form fields to prevent malicious script injection. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Limit user privileges to the minimum necessary to reduce the risk of low-privileged attackers injecting malicious content. Conduct regular security testing, including automated scanning and manual code reviews, to detect and remediate XSS vulnerabilities. Educate users and administrators about the risks of social engineering and phishing that could facilitate exploitation. Consider web application firewalls (WAF) with rules targeting XSS payloads as a temporary protective measure. Finally, ensure logging and monitoring are in place to detect suspicious activities related to form submissions and script execution.