Platform
adobe
Component
adobe-experience-manager
Fixed in
6.5.24
A DOM-based Cross-Site Scripting (XSS) vulnerability (CVE-2025-64537) has been identified in Adobe Experience Manager versions 6.5.23 and earlier. Successful exploitation allows an attacker to inject malicious scripts into a web page, potentially leading to arbitrary code execution. This vulnerability requires user interaction, specifically a victim visiting a crafted malicious page. Adobe has released updates to address this issue.
This XSS vulnerability poses a significant threat to Adobe Experience Manager deployments. An attacker can leverage it to inject malicious JavaScript code into web pages viewed by authenticated users. This code can then be executed within the user's browser context, allowing the attacker to steal session cookies, redirect users to malicious websites, or deface the website. The potential for session takeover significantly elevates the confidentiality and integrity impact. The requirement for user interaction means attackers may rely on social engineering techniques like phishing to lure victims to the malicious page. This vulnerability shares characteristics with other DOM-based XSS attacks, where the vulnerability lies in how the application handles user-supplied data within the Document Object Model (DOM).
CVE-2025-64537 was publicly disclosed on December 10, 2025. The CVSS score of 9.3 (CRITICAL) indicates a high probability of exploitation. While no public proof-of-concept (PoC) code has been publicly released as of this writing, the nature of XSS vulnerabilities makes it likely that PoCs will emerge. Monitor security advisories and threat intelligence feeds for updates. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.73% (72% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-64537 is to upgrade to a patched version of Adobe Experience Manager. Adobe has released updates to address this vulnerability; refer to the official Adobe security advisory for specific version details. If immediate patching is not feasible, consider implementing strict input validation and output encoding on all user-supplied data to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can provide an additional layer of defense. Carefully review and sanitize any third-party components or plugins integrated with Adobe Experience Manager, as they may introduce new attack vectors.
Update Adobe Experience Manager to a version later than 6.5.23. See the Adobe security advisory for detailed instructions on how to update your installation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64537 is a CRITICAL DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager versions 0–6.5.23, allowing attackers to inject malicious scripts.
If you are using Adobe Experience Manager versions 6.5.23 or earlier, you are potentially affected by this vulnerability. Check your version and upgrade accordingly.
The recommended fix is to upgrade to a patched version of Adobe Experience Manager. Refer to the official Adobe security advisory for details.
While no confirmed active exploitation has been publicly reported, the vulnerability's criticality and the ease of XSS exploitation suggest a high likelihood of future exploitation.
Please refer to the official Adobe Security Bulletin for CVE-2025-64537 on the Adobe Security Advisories website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.