CVE-2025-64861 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. The vulnerability arises from insufficient sanitization of user-supplied input in certain form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is stored on the server. When a victim user accesses the affected page, the malicious script executes within their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability is classified under CWE-79 and has a CVSS 3.1 base score of 5.4, indicating medium severity. The attack vector is network-based (remote), with low attack complexity and requiring low privileges but necessitating user interaction to trigger the payload. The scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component. Currently, no public exploits or active exploitation in the wild have been reported. Adobe has not yet released a patch, but organizations are advised to monitor for updates. The vulnerability poses a significant risk to organizations relying on AEM for web content management, especially those with public-facing applications where attackers can submit malicious inputs. Stored XSS vulnerabilities are particularly dangerous because the malicious payload persists and can affect multiple users over time.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive information, such as session cookies or personal data, through malicious script execution. It can also enable attackers to perform actions on behalf of authenticated users, potentially leading to data manipulation or defacement of web content. Organizations in sectors like government, finance, and e-commerce that use Adobe Experience Manager for digital services could face reputational damage, regulatory penalties under GDPR for data breaches, and operational disruptions. The persistent nature of stored XSS increases the risk of widespread impact across user bases. Since the vulnerability requires user interaction, phishing or social engineering campaigns could be used to lure victims to vulnerable pages. The medium CVSS score reflects moderate risk but should not lead to complacency given the potential for chained attacks or privilege escalation.

1. Monitor Adobe security advisories closely and apply official patches or updates as soon as they become available. 2. Implement strict input validation on all form fields to reject or sanitize potentially malicious input before storage. 3. Employ robust output encoding/escaping techniques to ensure that user-supplied data is safely rendered in HTML contexts. 4. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 5. Conduct regular security testing, including automated scanning and manual code reviews, focusing on input handling in AEM components. 6. Educate users and administrators about the risks of phishing and social engineering that could exploit this vulnerability. 7. Consider implementing Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting AEM. 8. Limit privileges of users who can submit content to reduce the attack surface. 9. Review and harden AEM configurations to minimize exposure of vulnerable components.