A critical DOM-based Cross-Site Scripting (XSS) vulnerability has been identified in Adobe Experience Manager (AEM). This flaw allows an attacker to execute arbitrary code in a victim's browser by tricking them into visiting a malicious webpage, potentially leading to session hijacking, data theft, and further system compromise. Due to its high severity, immediate action is required to mitigate the significant risk to confidentiality and integrity.

The vulnerability is a DOM-based Cross-Site Scripting (XSS) flaw within Adobe Experience Manager. An attacker can craft a malicious URL or web page containing malicious scripts. When a victim with an active AEM session clicks this link, the malicious script is executed within the context of their browser's Document Object Model (DOM). This allows the attacker to bypass same-origin policy controls, leading to arbitrary code execution, theft of session cookies, and unauthorized actions on behalf of the user.

This vulnerability is rated as critical severity with a CVSS score of 9.3, posing a significant threat to the organization. Successful exploitation could lead to the complete takeover of a user's AEM session, granting the attacker the same privileges as the victim, which may include administrative access. The primary business risks include unauthorized access to sensitive corporate or customer data, modification or deletion of critical content managed by AEM, and reputational damage. The high impact on confidentiality and integrity could result in regulatory fines and loss of customer trust.

Immediate Action: Prioritize the deployment of vendor-supplied security updates across all affected Adobe Experience Manager instances. Organizations should immediately update to a version later than 6.5.23 as recommended by Adobe. Following the update, review access logs for any signs of compromise or exploitation attempts preceding the patch.

Proactive Monitoring: Implement enhanced monitoring of AEM application logs and web server logs. Specifically, search for suspicious requests containing script tags, encoded characters, or unusually long URL parameters that may indicate XSS payloads. Monitor for anomalous user session activity, such as actions being performed outside of business hours or from unusual IP addresses.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with a robust XSS rule set to detect and block malicious requests targeting the AEM environment. Enforce a strict Content Security Policy (CSP) header to prevent the browser from executing unauthorized inline scripts. Conduct user awareness training to educate employees on the risks of clicking untrusted or suspicious links.

Public Exploit Available: false

Given the critical severity (CVSS 9.3) of CVE-2025-64538, we strongly recommend that organizations treat this as a high-priority vulnerability and apply the necessary patches immediately. Although exploitation requires user interaction, the potential impact of a successful attack—including session takeover and data compromise—is severe. While this vulnerability is not yet on the CISA KEV list, its high score makes it a prime target for future exploitation. If patching is delayed, the compensating controls outlined above should be implemented without delay to reduce the attack surface.