Platform
adobe
Component
adobe-experience-manager
Opgelost in
6.5.24
CVE-2025-64538 is a DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager versions 6.5.23 and earlier. This vulnerability allows an attacker to inject malicious scripts into a web page, which are then executed within the context of a victim's browser. While exploitation requires user interaction (visiting a crafted page), the potential impact is severe, including session takeover and data breaches. Adobe has released updates to address this issue.
The primary impact of CVE-2025-64538 is the potential for arbitrary code execution within the victim's browser. An attacker can leverage this to steal session cookies, redirect users to malicious websites, or deface the website. The vulnerability’s DOM-based nature means that the attacker doesn't necessarily need to control the entire page, only a specific element. This makes it easier to exploit than traditional XSS vulnerabilities. The ability to achieve session takeover significantly increases the confidentiality and integrity impact, as an attacker can impersonate legitimate users and access sensitive data. The blast radius extends to any user who interacts with a page containing the injected script.
CVE-2025-64538 was publicly disclosed on December 10, 2025. While no public proof-of-concept (PoC) code has been released at the time of writing, the vulnerability's nature and severity suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog. The potential for session takeover makes this a high-priority vulnerability to address.
Organizations heavily reliant on Adobe Experience Manager for content management and digital experiences are at significant risk. Specifically, deployments with custom components or integrations that handle user-supplied data without proper sanitization are particularly vulnerable. Shared hosting environments where multiple websites share the same Experience Manager instance also increase the attack surface.
• adobe: Monitor Experience Manager logs for unusual script execution patterns or attempts to access sensitive data.
Get-WinEvent -LogName Application -FilterXPath "//*[System[Provider[@Name='Adobe Experience Manager']]]" | Where-Object {$_.Message -match "XSS"}• generic web: Inspect HTTP response headers for unexpected script tags or unusual content.
curl -I https://example.com/ | grep -i script• generic web: Review access logs for requests containing suspicious URL parameters or POST data that could be exploited for XSS.
grep -i 'script' /var/log/apache2/access.logdisclosure
Exploit Status
EPSS
0.73% (72% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-64538 is to upgrade to a patched version of Adobe Experience Manager. Adobe has released updates to address this vulnerability; refer to the official Adobe security advisory for specific version details. If immediate patching is not possible, consider implementing strict input validation and output encoding on all user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly scan your Experience Manager instance for vulnerabilities using automated security tools.
Werk Adobe Experience Manager bij naar een versie later dan 6.5.23. Dit zal de DOM-gebaseerde XSS-kwetsbaarheid verhelpen. Raadpleeg het beveiligingsadvies van Adobe voor meer details en specifieke update-instructies.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-64538 is a critical DOM-based Cross-Site Scripting (XSS) vulnerability in Adobe Experience Manager versions 0–6.5.23, allowing attackers to inject malicious scripts and potentially take over user sessions.
If you are using Adobe Experience Manager versions 6.5.23 or earlier, you are potentially affected by this vulnerability. Check your version and upgrade as soon as possible.
Upgrade to a patched version of Adobe Experience Manager. Refer to the official Adobe security advisory for specific version details and patching instructions.
While no public exploits are currently known, the vulnerability's severity suggests a high probability of exploitation. Proactive patching is highly recommended.
Refer to the official Adobe Security Bulletin for details: [https://www.adobe.com/security/advisories/AdobeSecurityBulletin.htm](https://www.adobe.com/security/advisories/AdobeSecurityBulletin.htm)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.