Researchers have uncovered three vulnerabilities within the fashionable content material administration system, Sitecore Expertise Platform.
- CVE-2025-34509 entails a hard-coded password (consisting of only a single letter) that enables an attacker to remotely log in as a service account.
- CVE-2025-34510 is a Zip Slip vulnerability enabling an authenticated person to add and extract a ZIP archive to the web site’s root listing.
- CVE-2025-34511 additionally permits customers to add exterior recordsdata to the positioning, however this time with none restrictions.
By combining the primary vulnerability with both of the latter two, an attacker can obtain distant code execution (RCE) on a server operating the Sitecore Expertise Platform.
There’s at the moment no proof of those vulnerabilities being exploited within the wild; nonetheless, the detailed evaluation revealed by watchTowr comprises sufficient data for risk actors to weaponize them at any second.
CVE-2025-34509 — entry by a preset account
The Sitecore CMS consists of a number of default accounts, one in every of which is sitecoreServicesAPI. Naturally, passwords for all accounts are saved in a hashed (and even salted) kind. Nonetheless, this doesn’t make a lot distinction if the password consists of simply the only letter “b”. Such a password could be brute-forced in about three seconds.
Notably, Sitecore’s builders advise towards modifying default accounts, warning that “modifying a default person account can have an effect on different areas of the safety mannequin” (no matter meaning). Web site admins following the official directions are thus unlikely to alter these passwords. Because of this, such default accounts are seemingly current in most web sites utilizing this CMS.
That mentioned, the sitecoreServicesAPI person has no assigned rights or roles, so merely authenticating by the usual Sitecore login interface isn’t attainable. Nonetheless, the researchers discovered a technique to bypass the database examine required for profitable authentication (for particulars, see the unique analysis). Because of this, the attacker obtains a sound session cookie. They nonetheless don’t have administrator rights, however this cookie can be utilized for additional assaults.
CVE-2025-34510 — vulnerability in Sitecore’s file uploader
Sitecore has a file add mechanism which any authenticated person can use. So having a sound session cookie, an attacker can create an HTTP request to add and robotically extract a ZIP archive. The essence of CVE-2025-34510 is that resulting from flawed enter sanitization, an authenticated attacker can carry out a path traversal. You’ll be able to learn extra about any such vulnerability — often called Zip Slip — in our publish on ZIP file processing. In essence, the attacker can extract the archive to any location — for instance, the web site’s root folder. This fashion, the attacker can add something — comparable to their very own net shell.
CVE-2025-34511 — vulnerability within the file uploader of the Sitecore PowerShell Extensions module
CVE-2025-34511 is an alternate technique to compromise Sitecore. This vulnerability is current within the Sitecore PowerShell Extensions module, which is required for quite a lot of Sitecore extensions to operate — for instance, the Sitecore Expertise Accelerator, one of the vital fashionable extensions for this CMS.
Basically, this vulnerability works in a lot the identical approach as CVE-2025-34510, solely barely less complicated. The Sitecore PowerShell extension additionally has its personal file add mechanism, which could be exploited by an authenticated person. By HTTP requests, an attacker can add any file with any extension to the CMS, and put it aside to any listing on the web site. This implies there’s no want to arrange a customized ZIP archive and path, and the result’s mainly the identical: an online shell add.
The right way to shield towards assaults on the Sitecore Expertise Platform
Patches for these three vulnerabilities have been launched again in Might 2025. If your organization makes use of Sitecore, particularly together with Sitecore PowerShell Extensions, we advocate updating the CMS as quickly as attainable. In response to NIST descriptions, CVE-2025-34509 impacts Sitecore Expertise Supervisor and Expertise Platform variations 10.1 by 10.1.4 rev. 011974 PRE; all variants of 10.2; 10.3 by 10.3.3 rev. 011967 PRE; and 10.4 by 10.4.1 rev. 011941 PRE. CVE-2025-34510 is current in Expertise Supervisor, Expertise Platform, and Expertise Commerce variations 9.0 by 9.3 and 10.0 by 10.4. Lastly, CVE-2025-34511 impacts all variations of Sitecore PowerShell Extensions as much as model 7.0.
The researchers who found these flaws declare to pay attention to 4 different, rather more attention-grabbing vulnerabilities. Nonetheless, since patches aren’t prepared but, they’ve mentioned they’ll disclose these vulnerabilities later. As such, we advocate maintaining a tally of upcoming updates from the Sitecore builders.
