CVE-2025-64800 in Experience Manager
Summary
by MITRE • 12/10/2025
Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/15/2025
Adobe Experience Manager versions 6.5.23 and earlier contain a critical stored cross-site scripting vulnerability that represents a significant threat to web application security. This vulnerability falls under the CWE-79 category of Cross-Site Scripting and operates as a stored XSS flaw where malicious input is permanently stored on the server and subsequently served to other users. The vulnerability specifically affects form fields within the AEM interface, creating an attack vector where low privilege users can inject malicious JavaScript code that persists in the application's database or storage mechanisms. When victims browse to pages containing these vulnerable fields, their browsers execute the injected scripts, potentially leading to unauthorized access, session hijacking, or data exfiltration.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with a persistent foothold within the AEM environment. Attackers can leverage this flaw to manipulate user sessions, steal authentication tokens, redirect users to malicious sites, or perform actions on behalf of legitimate users. The stored nature of the vulnerability means that the malicious scripts remain active until manually removed from the system, allowing attackers to maintain long-term access to the application. This vulnerability directly maps to ATT&CK technique T1531 which involves the use of malicious code injection to gain unauthorized access to systems, and T1059 which covers command and scripting interpreter techniques that attackers use to execute malicious code within compromised environments.
Security professionals should recognize this vulnerability as particularly dangerous due to its ability to affect low privilege users who typically have minimal access rights. The flaw essentially allows these users to elevate their privileges by compromising other users' sessions and executing arbitrary code within their browser contexts. The vulnerability demonstrates poor input validation and output encoding practices within the AEM form handling mechanisms, where user-supplied data is not properly sanitized before being stored and rendered in subsequent page displays. This represents a fundamental breakdown in the application's security architecture and violates standard security principles of defense in depth and principle of least privilege.
Organizations utilizing Adobe Experience Manager versions 6.5.23 and earlier should implement immediate mitigations including thorough input validation and output encoding for all user-supplied data within form fields, regular security audits of stored data, and comprehensive monitoring for suspicious activities. The most effective remediation approach involves updating to Adobe Experience Manager versions that have patched this vulnerability, as recommended by Adobe's security bulletins. Additionally, implementing content security policies, using secure coding practices for form handling, and conducting regular security testing can significantly reduce the risk associated with this stored XSS vulnerability. Organizations should also consider implementing web application firewalls and intrusion detection systems to monitor for exploitation attempts and provide additional layers of protection against this type of attack.