CVE-2025-64840 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. The vulnerability arises from insufficient sanitization of user-supplied input in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is persistently stored on the server. When other users access the affected pages containing these vulnerable fields, the malicious script executes in their browsers within the security context of the AEM site. This can lead to unauthorized actions such as session hijacking, credential theft, or manipulation of displayed content. The vulnerability requires the attacker to have at least low-level privileges to submit malicious input and requires user interaction (victims must visit the compromised page). The CVSS 3.1 base score is 5.4, indicating medium severity, with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, meaning network attack vector, low attack complexity, low privileges required, user interaction required, scope changed, and limited confidentiality and integrity impact but no availability impact. No patches are currently linked, and no known exploits have been reported in the wild, but the vulnerability is publicly disclosed and should be considered a credible risk. The persistent nature of stored XSS increases the threat surface, especially for organizations with many users accessing dynamic content. Adobe Experience Manager is widely used by enterprises for content management and digital experience delivery, making this vulnerability significant for organizations relying on AEM for public-facing or internal portals.

For European organizations, this vulnerability poses a risk primarily to confidentiality and integrity of user sessions and data. Attackers could exploit the stored XSS to steal session cookies, perform actions on behalf of users, or deliver malware through the victim’s browser. This can lead to unauthorized access to sensitive information, defacement of websites, or reputational damage. Organizations in sectors such as finance, government, healthcare, and e-commerce that use Adobe Experience Manager for customer-facing portals or internal collaboration platforms are particularly vulnerable. The impact is heightened in environments where users have elevated privileges or access sensitive data. Although availability is not directly affected, the indirect consequences of exploitation, such as loss of trust or regulatory penalties under GDPR for data breaches, can be severe. The medium CVSS score reflects moderate risk, but the ease of exploitation combined with the widespread use of AEM in Europe underscores the need for prompt mitigation.

1. Monitor Adobe’s official security advisories closely and apply patches or updates as soon as they become available for Adobe Experience Manager versions 6.5.23 and earlier. 2. Implement strict input validation and output encoding on all form fields to prevent injection of malicious scripts. Use context-aware encoding libraries to sanitize user inputs. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, reducing the impact of XSS attacks. 4. Limit user privileges to the minimum necessary, especially for users who can submit content to forms, to reduce the risk of malicious input. 5. Conduct regular security audits and penetration testing focused on web application vulnerabilities, including stored XSS. 6. Educate users and administrators about the risks of XSS and encourage cautious behavior when interacting with web content. 7. Consider implementing web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting AEM. 8. Review and harden AEM configurations to disable or restrict features that allow untrusted input to be stored and rendered without sanitization.