What is the CVSS score of CVE-2025-34509?

CVE-2025-34509 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 23.2%.

Which versions of Experience Commerce are affected by CVE-2025-34509?

Sitecore Experience Manager and Experience Platform versions 10.1-10.4.1 contain a hardcoded administrative credential that allows unauthenticated attackers to bypass authentication and access…. A patch is available.

Is there a public PoC exploit available for CVE-2025-34509?

Yes, a public proof-of-concept exploit is available for CVE-2025-34509. Prioritise patching immediately. EPSS: 23.2%.

How to fix or mitigate CVE-2025-34509?

Within 24 hours: Identify all Sitecore XM and XP instances running versions 10.1-10.4.1 and isolate them from untrusted networks or place them behind authentication-enforcing reverse proxies. Within 7 days: Apply vendor-released patch to upgrade all affected instances to version 10.4.2 or later, or implement network-level access controls restricting administrative API endpoints to authorized personnel only. Within 30 days: Conduct an audit of administrative API access logs for the last 90 days to detect unauthorized access, reset all administrative credentials, and enforce multi-factor authentication on administrative accounts.

Experience Commerce CVE-2025-34509

EUVD-2025-18524 HIGH

Use of Hard-coded Credentials (CWE-798)

2025-06-17 disclosure@vulncheck.com

Information Disclosure Experience Commerce Experience Manager Experience Platform Managed Cloud

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:37 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

10.1.4,10.4.1,10.3.3

EUVD ID Assigned

Mar 14, 2026 - 22:15 euvd

EUVD-2025-18524

Analysis Generated

Mar 14, 2026 - 22:15 vuln.today

PoC Detected

Dec 27, 2025 - 17:15 vuln.today

Public exploit code

CVE Published

Jun 17, 2025 - 19:15 nvd

HIGH 7.5

DescriptionNVD

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.

AnalysisAI

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 through 10.4.1 contain a hardcoded administrative user account that allows unauthenticated remote attackers to gain unauthorized access to sensitive administrative APIs over HTTP without authentication. This vulnerability has a CVSS score of 7.5 (High) and enables confidentiality breach through direct API access; exploitation likelihood is high due to the low attack complexity and lack of authentication requirements.

Technical ContextAI

This vulnerability is rooted in CWE-798 (Use of Hard-Coded Credentials), a critical authentication bypass flaw. Sitecore XM and XP platforms embed a static credential (username/password combination) within the application codebase or configuration, likely in configuration files, source code, or compiled binaries. Affected CPE strings encompass: Sitecore Experience Manager 10.1.x, 10.2.x, 10.3.x, 10.4.x and Sitecore Experience Platform 10.1.x, 10.2.x, 10.3.x, 10.4.x. The hardcoded account bypasses standard authentication mechanisms entirely, allowing direct HTTP access to administrative REST/SOAP APIs that should be restricted to authenticated and authorized users. The vulnerability affects both XM (single-tenant) and XP (multi-tenant platform) deployments.

RemediationAI

Immediate actions: (1) Update to patched versions—Sitecore released patches addressing this CVE; consult Sitecore Release Notes and Security Bulletins at https://support.sitecore.com for exact patch versions (expected: rev. 011975+ for 10.1.x, rev. 011968+ for 10.3.x, rev. 011942+ for 10.4.x); (2) If patching is delayed, disable or restrict HTTP access to administrative APIs at the network/firewall level—ensure only HTTPS is accessible and restrict access by IP to trusted admin networks; (3) Rotate or disable the hardcoded administrative account immediately if credential details are known; (4) Audit API access logs for unauthorized administrative API calls using the hardcoded account credentials; (5) Implement Web Application Firewall (WAF) rules to block direct API calls without proper authentication headers; (6) Review Sitecore's official security advisory (expected CVE-2025-34509 bulletin) for detailed patch and rollback instructions.

CVE-2025-34509 vulnerability details – vuln.today

Back

Experience Commerce CVE-2025-34509

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code