CVE-2025-64847 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. Stored XSS occurs when malicious scripts are permanently stored on the target server, in this case within vulnerable form fields of AEM, and then executed in the browsers of users who access the affected pages. The vulnerability allows a low-privileged attacker to inject arbitrary JavaScript code that executes in the context of the victim’s browser session. This can lead to theft of session cookies, user impersonation, or unauthorized actions performed on behalf of the victim. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates that the attack can be launched remotely over the network with low attack complexity, requires low privileges, and user interaction is necessary (victim must visit the malicious page). The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality and integrity is low to moderate, with no direct availability impact. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. Adobe Experience Manager is widely used by enterprises for web content management and digital experience delivery, making this vulnerability significant for organizations relying on AEM for customer-facing portals and internal applications.

For European organizations, the impact of this vulnerability can be significant, especially for those using Adobe Experience Manager to manage web content and digital experiences. Successful exploitation could lead to session hijacking, credential theft, or unauthorized actions performed under the victim’s identity, potentially compromising sensitive customer or internal data. This could result in reputational damage, regulatory non-compliance (e.g., GDPR violations), and financial losses. Since AEM is often used by large enterprises, government agencies, and service providers, the risk extends to critical infrastructure and public-facing services. The requirement for user interaction somewhat limits automated exploitation, but phishing or social engineering could facilitate attacks. The absence of patches increases exposure time, emphasizing the need for proactive mitigation. Organizations with high web traffic and diverse user bases are at greater risk, as more users increase the likelihood of successful exploitation.

1. Implement strict input validation and sanitization on all form fields within Adobe Experience Manager to prevent injection of malicious scripts. 2. Deploy and enforce Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3. Monitor web application logs and user activity for unusual behavior indicative of XSS exploitation attempts. 4. Restrict privileges of users who can submit content to minimize the risk of malicious input from low-privileged accounts. 5. Educate users and administrators about the risks of clicking untrusted links or submitting unverified content. 6. Use web application firewalls (WAF) with rules tuned to detect and block XSS payloads targeting AEM. 7. Regularly review and update AEM configurations and apply security best practices for web content management. 8. Stay alert for Adobe’s official patches or security advisories and apply updates promptly once available. 9. Consider isolating critical AEM instances or sensitive content areas to reduce the blast radius of potential attacks.