Proof-of-Concept Exploit Released for Pre-Auth RCE Chain in Sitecore Experience Platform
Security researchers have released a technical writeup which, with minimal modification, serves as a proof-of-concept exploit that could allow unauthenticated remote attackers to execute arbitrary code
Summary
Security researchers have released a technical writeup which, with minimal modification, serves as a proof-of-concept exploit that could allow unauthenticated remote attackers to execute arbitrary code
Affected platforms
The following platforms are known to be affected:
Threat details
Vulnerabilities can be exploited as part of a chain
Security researchers at watchTowr have released technical details for three vulnerabilities that can be exploited as a chain to perform remote code execution and are trivial to exploit. The NHS England National CSOC assesses future exploitation as highly likely.
Introduction
Security researchers at watchTowr have released technical details for three vulnerabilities in the Sitecore Experience Platform (XP). Experience Platform is a content management system (CMS) used to create and manage digital content on websites.
Vulnerability details
- CVE-2025-34509 is a "user of hard-coded credentials" vulnerability in Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) with a CVSSv3 score of 8.2. An unauthenticated, remote attacker could use the hardcoded credentials to perform administrative actions over the Sitecore API.
- CVE-2025-34510 is a "relative path traversal" vulnerability in Sitecore XM, XP, and XC with a CVSSv3 score of 8.8. Successful exploitation could allow a remote, authenticated attacker to write arbitrary files by sending a crafted HTTP request, potentially leading to arbitrary code execution.
- CVE-2025-34511 is an "unrestricted upload of file with dangerous type" vulnerability in Sitecore PowerShell Extensions with a CVSSv3 score of 8.8. Successful exploitation could allow a remote, authenticated attacker to upload arbitrary files, potentially leading to remote code execution.
CVE-2025-34509, CVE-2025-34510 and CVE-2025-34511 can be chained together to allow a remote, unauthenticated attacker to execute arbitrary code on the Sitecore server.
Threat updates
| Date | Update |
|---|---|
| 19 Jun 2025 |
Sitecore Security Bulletin SC2025-003 released
The following changes have been made to reflect SC2025-003:
|
Remediation advice
Affected organisations are strongly encouraged to review Sitecore Security Bulletin SC2025-003 and apply the temporary patch detailed below. The patch can be used for all impacted product versions.
Note: Sitecore will additionally provide cumulative pre-releases for mainstream Sitecore XP versions at a later date that will include the same fix.
Remediation steps
| Type | Step |
|---|---|
| Patch |
9.0 Initial Release to 9.3 Initial Release Download and unpack the Sitecore.Support.9.0-9.3.zip release, and follow the instructions in the Readme.md file. https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667 |
| Patch |
10.0 Initial Release to 10.4 Initial Release Download and unpack the Sitecore.Support.10.0-10.4.zip release, and follow the instructions in the Readme.md file. https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667 |
| Guidance |
Hotfixes are not automatically rolled into cloud marketplace versions or Managed Cloud deployments Cloud marketplaces (such as Azure Marketplace) support the same versions that have been released at dev.sitecore.net. Organisations using cloud marketplace versions of Sitecore or a Sitecore Managed Cloud deployment should apply the above solution to their instance. https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667 |
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 19 June 2025 3:10 pm