CVE-2025-34509

| EUVD-2025-18524 HIGH
2025-06-17 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-18524
PoC Detected
Dec 27, 2025 - 17:15 vuln.today
Public exploit code
CVE Published
Jun 17, 2025 - 19:15 nvd
HIGH 7.5

Tags

Information Disclosure Experience Commerce Managed Cloud Experience Manager Experience Platform

Description

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.

Analysis

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 through 10.4.1 contain a hardcoded administrative user account that allows unauthenticated remote attackers to gain unauthorized access to sensitive administrative APIs over HTTP without authentication. This vulnerability has a CVSS score of 7.5 (High) and enables confidentiality breach through direct API access; exploitation likelihood is high due to the low attack complexity and lack of authentication requirements.

Technical Context

This vulnerability is rooted in CWE-798 (Use of Hard-Coded Credentials), a critical authentication bypass flaw. Sitecore XM and XP platforms embed a static credential (username/password combination) within the application codebase or configuration, likely in configuration files, source code, or compiled binaries. Affected CPE strings encompass: Sitecore Experience Manager 10.1.x, 10.2.x, 10.3.x, 10.4.x and Sitecore Experience Platform 10.1.x, 10.2.x, 10.3.x, 10.4.x. The hardcoded account bypasses standard authentication mechanisms entirely, allowing direct HTTP access to administrative REST/SOAP APIs that should be restricted to authenticated and authorized users. The vulnerability affects both XM (single-tenant) and XP (multi-tenant platform) deployments.

Affected Products

Sitecore Experience Manager (XM) versions: 10.1.0 through 10.1.4 rev. 011974 PRE, 10.2.0 (all versions), 10.3.0 through 10.3.3 rev. 011967 PRE, 10.4.0 through 10.4.1 rev. 011941 PRE. Sitecore Experience Platform (XP) versions: 10.1.0 through 10.1.4 rev. 011974 PRE, 10.2.0 (all versions), 10.3.0 through 10.3.3 rev. 011967 PRE, 10.4.0 through 10.4.1 rev. 011941 PRE. Versions 10.0 and earlier, and versions after 10.4.1 (post-patched revisions) are not affected. Sitecore Versions 11.0 and later have not been reported as affected.

Remediation

Immediate actions: (1) Update to patched versions—Sitecore released patches addressing this CVE; consult Sitecore Release Notes and Security Bulletins at https://support.sitecore.com for exact patch versions (expected: rev. 011975+ for 10.1.x, rev. 011968+ for 10.3.x, rev. 011942+ for 10.4.x); (2) If patching is delayed, disable or restrict HTTP access to administrative APIs at the network/firewall level—ensure only HTTPS is accessible and restrict access by IP to trusted admin networks; (3) Rotate or disable the hardcoded administrative account immediately if credential details are known; (4) Audit API access logs for unauthorized administrative API calls using the hardcoded account credentials; (5) Implement Web Application Firewall (WAF) rules to block direct API calls without proper authentication headers; (6) Review Sitecore's official security advisory (expected CVE-2025-34509 bulletin) for detailed patch and rollback instructions.

Priority Score

81
Low Medium High Critical
KEV: 0
EPSS: +23.2
CVSS: +38
POC: +20

Share

CVE-2025-34509 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy