CVE-2025-34509
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Sitecore | Experience Manager | 10.4 < 10.4.1 rev. 011941 PRE | affected |
| Sitecore | Experience Manager | 10.3 < 10.3.3 rev. 011967 PRE | affected |
| Sitecore | Experience Manager | 10.1 < 10.1.4 rev. 011974 PRE | affected |
| Sitecore | Experience Platform | 10.4 < 10.4.1 rev. 011941 PRE | affected |
| Sitecore | Experience Platform | 10.3 < 10.3.3 rev. 011967 PRE | affected |
| Sitecore | Experience Platform | 10.1 < 10.1.4 rev. 011974 PRE | affected |
Weaknesses
- CWE-798: CWE-798 Use of Hard-coded Credentials
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
References
- https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/
- https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.