Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
7DescriptionCVE.org
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
AnalysisAI
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 through 10.4.1 contain a hardcoded administrative user account that allows unauthenticated remote attackers to gain unauthorized access to sensitive administrative APIs over HTTP without authentication. This vulnerability has a CVSS score of 7.5 (High) and enables confidentiality breach through direct API access; exploitation likelihood is high due to the low attack complexity and lack of authentication requirements.
Technical ContextAI
This vulnerability is rooted in CWE-798 (Use of Hard-Coded Credentials), a critical authentication bypass flaw. Sitecore XM and XP platforms embed a static credential (username/password combination) within the application codebase or configuration, likely in configuration files, source code, or compiled binaries. Affected CPE strings encompass: Sitecore Experience Manager 10.1.x, 10.2.x, 10.3.x, 10.4.x and Sitecore Experience Platform 10.1.x, 10.2.x, 10.3.x, 10.4.x. The hardcoded account bypasses standard authentication mechanisms entirely, allowing direct HTTP access to administrative REST/SOAP APIs that should be restricted to authenticated and authorized users. The vulnerability affects both XM (single-tenant) and XP (multi-tenant platform) deployments.
RemediationAI
Immediate actions: (1) Update to patched versions—Sitecore released patches addressing this CVE; consult Sitecore Release Notes and Security Bulletins at https://support.sitecore.com for exact patch versions (expected: rev. 011975+ for 10.1.x, rev. 011968+ for 10.3.x, rev. 011942+ for 10.4.x); (2) If patching is delayed, disable or restrict HTTP access to administrative APIs at the network/firewall level—ensure only HTTPS is accessible and restrict access by IP to trusted admin networks; (3) Rotate or disable the hardcoded administrative account immediately if credential details are known; (4) Audit API access logs for unauthorized administrative API calls using the hardcoded account credentials; (5) Implement Web Application Firewall (WAF) rules to block direct API calls without proper authentication headers; (6) Review Sitecore's official security advisory (expected CVE-2025-34509 bulletin) for detailed patch and rollback instructions.
More in Experience Commerce
View allSitecore Experience Manager, Platform, and Commerce versions 9.0 through 10.4 contain a Zip Slip vulnerability that allo
Sitecore PowerShell Extensions through version 7.0 allows authenticated users to upload arbitrary files including ASPX w
Multiple Sitecore products allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remote
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Sitecore Sitecore Experience Manager (XM), S
An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0
An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Comme
Sitecore Experience Manager/Platform through version 9.0 contains a deserialization vulnerability enabling code injectio
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Sitecore Sitecore Ex
Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) a
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18524