Cyber Posture

CVE-2025-64538

Critical

Published: 10 December 2025

Published
10 December 2025
Modified
12 December 2025
KEV Added
Patch
CVSS Score 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0036 58.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed…

more

in the context of the victim's browser. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must visit a crafted malicious page.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Applying vendor-provided patches directly remediates the specific DOM-based XSS flaw in Adobe Experience Manager versions 6.5.23 and earlier.

SI-15 Information Output Filtering good match
prevent

Filtering information output from the web application prevents malicious scripts from being executable in the victim's browser context during DOM manipulation.

SI-10 Information Input Validation partial match
prevent

Validating user inputs server-side blocks or sanitizes malicious payloads that could be used to trigger DOM-based XSS on crafted pages.

Security SummaryAI

CVE-2025-64538 is a DOM-based Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Adobe Experience Manager versions 6.5.23 and earlier. This flaw enables arbitrary code execution by allowing attackers to inject malicious scripts into a web page, which then execute in the context of the victim's browser. Published on 2025-12-10, the vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), reflecting its high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.

An unauthenticated attacker can exploit this vulnerability by luring a victim to visit a crafted malicious page, requiring user interaction. Once the victim accesses the page, the injected scripts execute within their browser session, potentially leading to session takeover. This grants the attacker high-level access to the victim's authenticated context in Adobe Experience Manager, amplifying risks to data confidentiality and integrity without impacting availability.

Adobe's security advisory APSB25-115, available at https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html, details the vulnerability and provides guidance on mitigations, including available patches for affected versions.

Details

CWE(s)
CWE-79

Affected Products

adobe
experience manager
6.5 · ≤ 6.5.24.0 · ≤ 2025.12.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
Why these techniques?

DOM-based XSS in public-facing Adobe Experience Manager enables exploitation of public-facing application (T1190) and facilitates stealing web session cookies for session takeover (T1539).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References