What is the CVSS score of CVE-2025-34510?

CVE-2025-34510 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 87.3%.

Which versions of Experience Commerce are affected by CVE-2025-34510?

Sitecore XM, XP, and XC customers running versions 9.0-9.3 and 10.0-10.4 face an immediate risk of unauthorized code execution through a Zip Slip vulnerability that requires only authenticated…

Is there a public PoC exploit available for CVE-2025-34510?

Yes, a public proof-of-concept exploit is available for CVE-2025-34510. Prioritise patching immediately. EPSS: 87.3%.

How to fix or mitigate CVE-2025-34510?

Within 24 hours: Identify all Sitecore XM/XP/XC instances running versions 9.0-9.3 or 10.0-10.4 and inventory user accounts with upload/administration privileges. Within 7 days: Implement WAF rules to block malicious ZIP uploads and restrict administrative file upload functionality to trusted IPs only; disable the vulnerable upload feature if operationally feasible. Within 30 days: Plan and execute upgrade to Sitecore 10.5 or later, or migrate to SaaS versions; perform enhanced monitoring of all file upload activity and authentication logs.

Experience Commerce CVE-2025-34510

EUVD-2025-18525 HIGH

Relative Path Traversal (CWE-23)

2025-06-17 disclosure@vulncheck.com

RCE Path Traversal Experience Commerce Experience Manager Experience Platform Managed Cloud

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 22:15 euvd

EUVD-2025-18525

Analysis Generated

Mar 14, 2026 - 22:15 vuln.today

PoC Detected

Sep 08, 2025 - 19:22 vuln.today

Public exploit code

CVE Published

Jun 17, 2025 - 19:15 nvd

HIGH 8.8

DescriptionNVD

Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.

AnalysisAI

Sitecore Experience Manager, Platform, and Commerce versions 9.0 through 10.4 contain a Zip Slip vulnerability that allows authenticated attackers to write arbitrary files outside the intended upload directory. By crafting ZIP archives with path traversal entries, attackers can overwrite application files and achieve remote code execution.

Technical ContextAI

The file upload functionality accepts ZIP archives and extracts their contents without properly validating entry paths. By including entries with ../../ prefixes in the ZIP archive, an attacker can write files to arbitrary locations on the filesystem. Writing an ASPX webshell to the Sitecore web root achieves code execution. The vulnerability requires authentication but not administrative privileges.

RemediationAI

Apply the latest Sitecore security patch. Implement server-level controls to prevent file writes outside designated directories. Restrict upload permissions to trusted users. Monitor the web root for unexpected ASPX file creation.

CVE-2025-34510 vulnerability details – vuln.today

Back

Experience Commerce CVE-2025-34510

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code