Cyber Resilience

CVE-2025-64539

Critical

Published: 10 December 2025

Published
10 December 2025
Modified
12 December 2025
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0045 64.2th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64539 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Experience Manager. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe Experience Manager versions 6.5.23 and earlier are affected by CVE-2025-64539, a DOM-based Cross-Site Scripting (XSS) vulnerability mapped to CWE-79. Published on 2025-12-10T19:16:15.310, this flaw allows arbitrary code execution when malicious scripts are injected into a web page and executed in the victim's browser context. The vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating critical severity due to high confidentiality and integrity impacts.

Remote attackers require no privileges and can exploit this over the network with low complexity, but it demands user interaction as victims must visit a crafted malicious page. Successful exploitation enables session takeover by executing scripts in the browser context, potentially compromising sensitive data and enabling further malicious actions without impacting availability.

Adobe has published security bulletin APSB25-115 at https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html, which provides details on patches and mitigations for affected versions.

EU & UK References

Vulnerability details

Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed…

more

in the context of the victim's browser. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must visit a crafted malicious page.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

DOM-based XSS in public-facing Adobe Experience Manager enables exploitation of public-facing application (T1190), arbitrary JavaScript execution in browser (T1059.007), and session takeover via stealing web session cookies (T1539).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-64538Same product: Adobe Experience Manager
CVE-2025-64537Same product: Adobe Experience Manager
CVE-2024-53963Same product: Adobe Experience Manager
CVE-2024-53965Same product: Adobe Experience Manager
CVE-2025-49533Same product: Adobe Experience Manager
CVE-2026-21284Same vendor: Adobe
CVE-2026-21361Same vendor: Adobe
CVE-2025-24410Same vendor: Adobe
CVE-2026-34686Same vendor: Adobe
CVE-2026-21290Same vendor: Adobe

Affected Assets

adobe
experience manager
6.5 · ≤ 6.5.24.0 · ≤ 2025.12.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires applying Adobe's patches from APSB25-115 to directly eliminate the DOM-based XSS vulnerability in Experience Manager.

prevent

Information output filtering encodes or sanitizes web page outputs to prevent injected malicious scripts from executing in victims' browsers.

prevent

Information input validation detects and blocks malicious script payloads before they reach the DOM manipulation logic in the vulnerable application.

References