{"id":24209,"date":"2025-06-25T00:06:52","date_gmt":"2025-06-24T20:06:52","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/vulnerabilities-sitecore-experience-platform\/24209\/"},"modified":"2025-06-25T00:06:52","modified_gmt":"2025-06-24T20:06:52","slug":"vulnerabilities-sitecore-experience-platform","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/vulnerabilities-sitecore-experience-platform\/24209\/","title":{"rendered":"&#8220;B&#8221;-grade security: three vulnerabilities in Sitecore CMS"},"content":{"rendered":"<p>Researchers have <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/sitecore-cms-exploit-chain-starts-with-hardcoded-b-password\/\" target=\"_blank\" rel=\"nofollow noopener\">uncovered<\/a> three vulnerabilities in the popular content management system, Sitecore Experience Platform.<\/p>\n<ul>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-34509\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2025-34509<\/a> involves a hard-coded password (consisting of just a single letter) that allows an attacker to remotely log in as a service account.<\/li>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-34510\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2025-34510<\/a> is a Zip Slip vulnerability enabling an authenticated user to upload and extract a ZIP archive to the website\u2019s root directory.<\/li>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-34511\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2025-34511<\/a> also allows users to upload external files to the site, but this time without any restrictions.<\/li>\n<\/ul>\n<p>By combining the first vulnerability with either of the latter two, an attacker can achieve remote code execution (RCE) on a server running the Sitecore Experience Platform.<\/p>\n<p>There\u2019s currently no evidence of these vulnerabilities being exploited in the wild; however, the detailed <a href=\"https:\/\/labs.watchtowr.com\/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform\/\" target=\"_blank\" rel=\"nofollow noopener\">analysis<\/a> published by watchTowr contains enough information for threat actors to weaponize them at any moment.<\/p>\n<h2>CVE-2025-34509 \u2014 access through a preset account<\/h2>\n<p>The Sitecore CMS includes several default accounts, one of which is sitecoreServicesAPI. Naturally, passwords for all accounts are stored in a hashed (and even <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/salt\/\" target=\"_blank\" rel=\"noopener\">salted<\/a>) form. However, this doesn\u2019t make much difference if the password consists of just the single letter \u201cb\u201d. Such a password can be brute-forced in about three seconds.<\/p>\n<p>Notably, Sitecore\u2019s developers <a href=\"https:\/\/doc.sitecore.com\/xp\/en\/developers\/latest\/platform-administration-and-architecture\/the-user-accounts.html\" target=\"_blank\" rel=\"nofollow noopener\">advise against modifying default accounts<\/a>, warning that \u201cediting a default user account can affect other areas of the security model\u201d (whatever that means). Site admins following the official instructions are thus unlikely to change these passwords. As a result, such default accounts are likely present in most websites using this CMS.<\/p>\n<p>That said, the sitecoreServicesAPI user has no assigned rights or roles, so simply authenticating through the standard Sitecore login interface isn\u2019t possible. However, the researchers found a way to bypass the database check required for successful authentication (for details, see the original <a href=\"https:\/\/labs.watchtowr.com\/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform\/\" target=\"_blank\" rel=\"noopener nofollow\">research<\/a>). As a result, the attacker obtains a valid session cookie. They still don\u2019t have administrator rights, but this cookie can be used for further attacks.<\/p>\n<h2>CVE-2025-34510 \u2014 vulnerability in Sitecore\u2019s file uploader<\/h2>\n<p>Sitecore has a file upload mechanism which any authenticated user can use. So having a valid session cookie, an attacker can create an HTTP request to upload and automatically extract a ZIP archive. The essence of CVE-2025-34510 is that due to flawed input sanitization, an authenticated attacker can perform a path traversal. You can read more about this type of vulnerability \u2014 known as Zip Slip \u2014 in our <a href=\"https:\/\/www.kaspersky.com\/blog\/archive-and-disk-image-threats-and-security-policies\/53295\/\" target=\"_blank\" rel=\"noopener nofollow\">post on ZIP file processing<\/a>. In essence, the attacker can extract the archive to any location \u2014 for example, the website\u2019s root folder. This way, the attacker can upload anything \u2014 such as their own <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/web-shell\/\" target=\"_blank\" rel=\"noopener\">web shell<\/a>.<\/p>\n<h2>CVE-2025-34511 \u2014 vulnerability in the file uploader of the Sitecore PowerShell Extensions module<\/h2>\n<p>CVE-2025-34511 is an alternative way to compromise Sitecore. This vulnerability is present in the Sitecore PowerShell Extensions module, which is required for a number of Sitecore extensions to function \u2014 for example, the Sitecore Experience Accelerator, one of the most popular extensions for this CMS.<\/p>\n<p>Essentially, this vulnerability works in much the same way as CVE-2025-34510, only slightly simpler. The Sitecore PowerShell extension also has its own file upload mechanism, which can be exploited by an authenticated user. Through HTTP requests, an attacker can upload any file with any extension to the CMS, and save it to any directory on the website. This means there\u2019s no need to prepare a custom ZIP archive and path, and the result is basically the same: a web shell upload.<\/p>\n<h2>How to protect against attacks on the Sitecore Experience Platform<\/h2>\n<p>Patches for these three vulnerabilities were released back in May 2025. If your company uses Sitecore, especially in combination with Sitecore PowerShell Extensions, we recommend updating the CMS as soon as possible. According to NIST descriptions, CVE-2025-34509 affects Sitecore Experience Manager and Experience Platform versions 10.1 through 10.1.4 rev. 011974 PRE; all variants of 10.2; 10.3 through 10.3.3 rev. 011967 PRE; and 10.4 through 10.4.1 rev. 011941 PRE. CVE-2025-34510 is present in Experience Manager, Experience Platform, and Experience Commerce versions 9.0 through 9.3 and 10.0 through 10.4. Lastly, CVE-2025-34511 affects all versions of Sitecore PowerShell Extensions up to version 7.0.<\/p>\n<p>The researchers who discovered these flaws claim to be aware of four other, much more interesting vulnerabilities. However, since patches aren\u2019t ready yet, they\u2019ve said they will disclose these vulnerabilities later. As such, we recommend keeping an eye on upcoming updates from the Sitecore developers.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kaspersky-next\">\n","protected":false},"excerpt":{"rendered":"<p>Researchers have found several vulnerabilities in the Sitecore CMS platform that enable unauthenticated remote code execution (RCE).<\/p>\n","protected":false},"author":2726,"featured_media":24210,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,1917],"tags":[1457,2078,187,2261,1022,521,268,399],"class_list":{"0":"post-24209","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-business","11":"tag-cms","12":"tag-passwords","13":"tag-rce","14":"tag-risks","15":"tag-threats","16":"tag-vulnerabilities","17":"tag-websites"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/vulnerabilities-sitecore-experience-platform\/24209\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/vulnerabilities-sitecore-experience-platform\/28979\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/vulnerabilities-sitecore-experience-platform\/12540\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/vulnerabilities-sitecore-experience-platform\/29090\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/vulnerabilities-sitecore-experience-platform\/28274\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/vulnerabilities-sitecore-experience-platform\/31096\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/vulnerabilities-sitecore-experience-platform\/29789\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/vulnerabilities-sitecore-experience-platform\/39950\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/vulnerabilities-sitecore-experience-platform\/13501\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/vulnerabilities-sitecore-experience-platform\/53683\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/vulnerabilities-sitecore-experience-platform\/22920\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/vulnerabilities-sitecore-experience-platform\/23953\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/vulnerabilities-sitecore-experience-platform\/32365\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/vulnerabilities-sitecore-experience-platform\/29308\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/vulnerabilities-sitecore-experience-platform\/35017\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/vulnerabilities-sitecore-experience-platform\/34656\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/vulnerabilities\/","name":"vulnerabilities"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/24209","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=24209"}],"version-history":[{"count":0,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/24209\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/24210"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=24209"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=24209"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=24209"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}