CVE-2025-54252: 
Adobe Experience Manager vulnerability analysis and mitigation

Adobe Experience Manager (AEM) versions 6.5.23.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-54252. The vulnerability was disclosed on September 9, 2025, and affects both the standard AEM installations and AEM Cloud Service deployments (NVD).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue that could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The weakness is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

Successful exploitation of this vulnerability could result in bypassing security features within the application. The attack requires user interaction, specifically requiring a victim to browse to the page containing the vulnerable field. The impact is considered moderate as it affects both confidentiality and integrity with low severity, while availability is not impacted (NVD, CIS Advisory).

Adobe has released security updates to address this vulnerability. Organizations are advised to update their Adobe Experience Manager installations to versions newer than 6.5.23.0. For AEM Cloud Service users, updates beyond the 2025.8.0 version are recommended (NVD).