CVE-2025-34509

Summary

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.

Affected Software

VendorProductVersion RangeStatus
SitecoreExperience Manager10.4 < 10.4.1 rev. 011941 PREaffected
SitecoreExperience Manager10.3 < 10.3.3 rev. 011967 PREaffected
SitecoreExperience Manager10.1 < 10.1.4 rev. 011974 PREaffected
SitecoreExperience Platform10.4 < 10.4.1 rev. 011941 PREaffected
SitecoreExperience Platform10.3 < 10.3.3 rev. 011967 PREaffected
SitecoreExperience Platform10.1 < 10.1.4 rev. 011974 PREaffected

Weaknesses

  • CWE-798: CWE-798 Use of Hard-coded Credentials

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

References