CVE-2025-64845 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM), specifically affecting versions 6.5.23 and earlier. Stored XSS occurs when an attacker injects malicious scripts into a web application’s persistent storage, such as form fields, which are then served to other users. In this case, a low-privileged attacker can exploit vulnerable form fields within AEM to insert malicious JavaScript code. When a victim user accesses the affected page, the injected script executes in their browser context, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or manipulate page content. The vulnerability requires user interaction (the victim must visit the compromised page) and low privileges for exploitation, but it does not require the attacker to have administrative access. The CVSS 3.1 base score is 5.4, indicating medium severity, with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, meaning the attack is network-based, requires low attack complexity, low privileges, user interaction, and impacts confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability poses a risk to organizations relying on AEM for web content management, especially those exposing vulnerable forms to external users. The lack of available patches at the time of publication necessitates immediate mitigation efforts to reduce risk.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive information such as session tokens or personal data, enabling further attacks like session hijacking or privilege escalation. The integrity of web content can be compromised, potentially damaging organizational reputation and user trust. While availability is not directly impacted, the indirect effects of compromised user sessions or data leakage can disrupt business operations. Organizations using AEM for public-facing websites or intranet portals are particularly at risk, as attackers can exploit the vulnerability to target employees or customers. The medium severity score reflects a moderate risk, but the widespread use of Adobe Experience Manager in Europe increases the potential impact. Regulatory frameworks such as GDPR heighten the consequences of data breaches resulting from such vulnerabilities, potentially leading to legal and financial penalties.

1. Immediately audit all Adobe Experience Manager instances to identify versions 6.5.23 or earlier and prioritize their upgrade to the latest patched version once available. 2. Implement strict input validation and sanitization on all form fields to prevent malicious script injection. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4. Limit user privileges on form inputs, ensuring that only trusted users can submit data to sensitive fields. 5. Monitor web application logs for unusual input patterns or repeated attempts to inject scripts. 6. Educate users about the risks of clicking on suspicious links or visiting untrusted pages within the organization’s web environment. 7. Use web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting AEM. 8. Prepare incident response plans to quickly address any exploitation attempts or breaches related to this vulnerability.