Plattform
adobe
Komponente
adobe-experience-manager
Behoben in
6.5.24
A DOM-based Cross-Site Scripting (XSS) vulnerability (CVE-2025-64537) has been identified in Adobe Experience Manager versions 6.5.23 and earlier. Successful exploitation allows an attacker to inject malicious scripts into a web page, potentially leading to arbitrary code execution. This vulnerability requires user interaction, specifically a victim visiting a crafted malicious page. Adobe has released updates to address this issue.
This XSS vulnerability in Adobe Experience Manager allows attackers to execute arbitrary JavaScript code within the context of a user's browser. This can be leveraged to steal session cookies, redirect users to malicious websites, deface the website, or even gain complete control over the user's account. The requirement for user interaction means attackers typically need to trick users into visiting a specially crafted page, potentially through phishing or social engineering techniques. Given the widespread use of AEM for enterprise content management, a successful attack could have a significant impact on confidentiality, integrity, and availability of sensitive data.
CVE-2025-64537 was publicly disclosed on December 10, 2025. While no public exploits have been confirmed as of this date, the CRITICAL severity and the relatively straightforward nature of XSS vulnerabilities suggest a high probability of exploitation. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations heavily reliant on Adobe Experience Manager for content management and digital asset management are at significant risk. Specifically, deployments with custom components or integrations that handle user-supplied data without proper sanitization are particularly vulnerable. Shared hosting environments where multiple websites share the same Adobe Experience Manager instance should also be considered high-risk, as a compromise of one site could potentially impact others.
• adobe: Examine Experience Manager logs for unusual JavaScript execution patterns or attempts to access sensitive data. • generic web: Use curl/wget to test for reflected input in potentially vulnerable endpoints. Check response headers for unexpected script tags.
curl -X POST -d "<script>alert('XSS')</script>" https://your-aem-site/path/to/vulnerable/endpoint• generic web: Grep access and error logs for patterns indicative of XSS attempts, such as <script> tags or eval() calls.
grep -i '<script>' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.73% (72% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-64537 is to upgrade to a patched version of Adobe Experience Manager. Adobe has released updates to address this vulnerability; refer to the official Adobe security advisory for the specific version number. If immediate patching is not possible, consider implementing input validation and output encoding on user-supplied data to reduce the attack surface. Web Application Firewalls (WAFs) configured with appropriate rules can also help to detect and block malicious requests. Regularly review and update AEM configurations to minimize potential attack vectors.
Aktualisieren Sie Adobe Experience Manager auf eine Version, die neuer als 6.5.23 ist. Weitere Informationen zur Aktualisierung Ihrer Installation finden Sie in der Sicherheitsmitteilung von Adobe.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-64537 is a CRITICAL DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager versions 0–6.5.23, allowing attackers to inject malicious scripts.
If you are using Adobe Experience Manager versions 6.5.23 or earlier, you are potentially affected by this vulnerability. Check your version and upgrade accordingly.
The recommended fix is to upgrade to a patched version of Adobe Experience Manager. Refer to the official Adobe security advisory for details.
While no confirmed active exploitation has been publicly reported, the vulnerability's criticality and the ease of XSS exploitation suggest a high likelihood of future exploitation.
Please refer to the official Adobe Security Bulletin for CVE-2025-64537 on the Adobe Security Advisories website.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.