CVE-2025-64873 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Experience Manager (AEM) versions 6.5.23 and earlier. Stored XSS occurs when an attacker manages to inject malicious scripts into web application input fields that are then permanently stored and served to other users. In this case, a low-privileged attacker can exploit vulnerable form fields within AEM to insert JavaScript code. When other users access pages containing these fields, the malicious script executes in their browsers, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or manipulate page content. The vulnerability requires user interaction (visiting the affected page) and low privileges for exploitation, but no authentication bypass is needed. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, low privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, with no impact on availability. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The vulnerability stems from insufficient input sanitization and output encoding in form fields, a common cause of stored XSS issues. Given AEM's widespread use in enterprise content management, this vulnerability poses a risk to organizations relying on it for web content delivery and management.

For European organizations, the impact of this vulnerability can be significant in environments where Adobe Experience Manager is used to manage public-facing websites or internal portals. Exploitation could lead to session hijacking, unauthorized actions performed in the context of authenticated users, defacement of web content, or distribution of malware via injected scripts. This can damage organizational reputation, lead to data leakage, and disrupt business operations. Although the confidentiality and integrity impacts are rated low, the scope change and potential for lateral impact within an organization increase the risk. Organizations in sectors such as government, finance, and media that rely heavily on AEM for content management are particularly at risk. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in phishing or targeted spear-phishing scenarios. The absence of known exploits in the wild currently reduces immediate risk but should not lead to complacency.

To mitigate this vulnerability, European organizations should prioritize upgrading Adobe Experience Manager to a version beyond 6.5.23 once patches are released. Until patches are available, organizations should implement strict input validation and output encoding on all form fields to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly audit and sanitize user-generated content stored in AEM to detect and remove malicious scripts. Limit the privileges of users who can submit content to reduce the attack surface. Implement web application firewalls (WAFs) with rules targeting XSS attack patterns to block malicious payloads. Conduct security awareness training to reduce the risk of users clicking on malicious links or visiting compromised pages. Monitor logs and user activity for signs of exploitation attempts or unusual behavior. Finally, maintain an incident response plan tailored to web application attacks to quickly contain and remediate any incidents.