Cyber Resilience

CVE-2025-64537

Critical

Published: 10 December 2025

Published
10 December 2025
Modified
12 December 2025
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0114 78.8th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64537 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Experience Manager. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-64537 is a DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager versions 6.5.23 and earlier. This flaw, classified under CWE-79, allows attackers to inject malicious scripts into web pages that execute in the context of a victim's browser, potentially leading to arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), reflecting its high severity due to network accessibility, low attack complexity, lack of required privileges, and elevated confidentiality and integrity impacts.

An unauthenticated attacker (PR:N) can exploit this issue by crafting a malicious web page that a victim must visit, requiring user interaction. Upon execution in the victim's browser, the injected scripts enable session takeover, compromising the confidentiality and integrity of the affected session with a changed scope (S:C).

Adobe has published Security Bulletin APSB25-115 detailing mitigation steps, available at https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html. Security practitioners should consult this advisory for patch availability and recommended remediation actions for vulnerable Experience Manager deployments.

EU & UK References

Vulnerability details

Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed…

more

in the context of the victim's browser. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must visit a crafted malicious page.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

DOM-based XSS in public-facing Adobe Experience Manager (T1190: Exploit Public-Facing Application) enables arbitrary script execution in victim browsers, facilitating session takeover via cookie theft (T1539: Steal Web Session Cookie).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-64538Same product: Adobe Experience Manager
CVE-2025-64539Same product: Adobe Experience Manager
CVE-2024-53963Same product: Adobe Experience Manager
CVE-2024-53965Same product: Adobe Experience Manager
CVE-2025-49533Same product: Adobe Experience Manager
CVE-2026-21284Same vendor: Adobe
CVE-2026-21290Same vendor: Adobe
CVE-2026-21361Same vendor: Adobe
CVE-2025-24410Same vendor: Adobe
CVE-2025-24438Same vendor: Adobe

Affected Assets

adobe
experience manager
6.5 · ≤ 6.5.24.0 · ≤ 2025.12.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the DOM-based XSS vulnerability by identifying, reporting, and applying patches as specified in Adobe's security bulletin for affected Experience Manager versions.

prevent

Prevents execution of injected malicious scripts by filtering and encoding dynamic content inserted into web pages, addressing the core DOM manipulation in this XSS flaw.

prevent

Blocks exploitation by validating and sanitizing untrusted inputs such as URL parameters used in client-side script processing for DOM-based attacks.

References