CVE-2019-9874
published 2019-05-31CVE-2019-9874: Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-04-16
Exploited in the wild
EPSS
83.86%
99.7th percentile
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sitecore | cms | 7.0 – 7.2 | — |
| sitecore | experience_platform | 7.5 – 8.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/sitecore/shell/Applications/Security/CreateNewUser/CreateNewUser.aspx
path/sitecore/shell/Applications/Layouts/IDE.aspx
cookie__CSRFCOOKIE
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Sitecore CMS CSRFTOKEN Deserialization Remote Code Execution Attempt (CVE-2019-9874)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sitecore/shell/Applications/Security/CreateNewUser/CreateNewUser.aspx"; fast_pattern; http.cookie; content:"|5f 5f|CSRFCOOKIE|3d|"; http.request_body; content:"|5f 5f|CSRFTOKEN|3d|"; startswith; pcre:"/^[a-zA-Z0-9\x2f\x2b\x3d]{32}/R"; reference:cve,2019-9874; reference:url,www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf; classtype:attempted-admin; sid:2061119; rev:2; metadata:affected_product Sitecore_CMS, attack_target Web_Server, tls_state plaintext, created_at 2025_03_26, cve CVE_2019_9874, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_03_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)bytes
|5f 5f| CSRFCOOKIE |3d| (cookie header bytes)
bytes
|5f 5f| CSRFTOKEN |3d| (request body bytes, startswith)
- →Exploit traffic is an HTTP POST to the CreateNewUser.aspx endpoint with a serialized .NET object in the __CSRFTOKEN body parameter and a __CSRFCOOKIE cookie present. The Snort rule anchors on the body starting with __CSRFTOKEN= followed by ≥32 base64 characters.
- →A vulnerable server will respond with HTTP 500 and a body containing both 'PotentialCsrfException' and 'deserialization', confirming the deserialization code path was reached.
- →The attack is unauthenticated; no session or login cookies are required beyond the crafted __CSRFCOOKIE value. Monitor for POST requests to Sitecore shell paths from unauthenticated sources. ↗
- →Shodan/FOFA fingerprints for exposed Sitecore instances: Shodan query 'http.html:"SitecoSitecore Experience Platform"', FOFA query 'body="Sitecore Experience Platform"'.
- ·The Snort rule (sid:2061119) targets plaintext HTTP only (tls_state plaintext); HTTPS-wrapped exploitation traffic will not be detected by this rule without TLS inspection.
- ·The Nuclei template targets the CreateNewUser.aspx endpoint, while the advisory also references IDE.aspx as an exploitation path — detection coverage should include both endpoints.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wfwm-vf76-3692: Deserialization of Untrusted Data in the Sitecore
ghsa_unreviewed·2022-05-24
CVE-2019-9874 [CRITICAL] CWE-502 GHSA-wfwm-vf76-3692: Deserialization of Untrusted Data in the Sitecore
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
VulnCheck
Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-9874 [CRITICAL] CWE-502 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
Sitecore CMS and Experience Platform (XP) contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
Affected: Sitecore CMS and Experience Platform (XP)
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cyble.com/resources/research-reports/global-cybersecurity-report/; https://www.loginsoft.com/reports/annua
CISA
Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
cisa·2025-03-26·CVSS 9.8
CVE-2019-9874 [CRITICAL] CWE-502 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
Vulnerability: Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
Affected: Sitecore CMS and Experience Platform (XP)
Sitecore CMS and Experience Platform (XP) contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB0334035 ; https://nvd.nist.gov/vuln/detail/CVE-2019-9874
Remediation Due Date: 2025-04-16
Suricata
ET WEB_SPECIFIC_APPS Sitecore CMS CSRFTOKEN Deserialization Remote Code Execution Attempt (CVE-2019-9874)
suricata·2025-03-26·CVSS 9.8
CVE-2019-9874 [CRITICAL] ET WEB_SPECIFIC_APPS Sitecore CMS CSRFTOKEN Deserialization Remote Code Execution Attempt (CVE-2019-9874)
ET WEB_SPECIFIC_APPS Sitecore CMS CSRFTOKEN Deserialization Remote Code Execution Attempt (CVE-2019-9874)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Sitecore CMS CSRFTOKEN Deserialization Remote Code Execution Attempt (CVE-2019-9874)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sitecore/shell/Applications/Security/CreateNewUser/CreateNewUser.aspx"; fast_pattern; http.cookie; content:"|5f 5f|CSRFCOOKIE|3d|"; http.request_body; content:"|5f 5f|CSRFTOKEN|3d|"; startswith; pcre:"/^[a-zA-Z0-9\x2f\x2b\x3d]{32}/R"; reference:cve,2019-9874; reference:url,www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf; classtype:attempted-admin; sid:2061119; rev:2; metadata:affected_product Sitecore_CMS, attack_target Web_Server
Nuclei
Sitecore Experience Platform - Deserialization of Untrusted Data
nuclei·CVSS 9.8
CVE-2019-9874 [CRITICAL] Sitecore Experience Platform - Deserialization of Untrusted Data
Sitecore Experience Platform - Deserialization of Untrusted Data
Sitecore Experience Platform before 8.2 Update-7 and 9.0 before Update-2 is vulnerable to a remote code execution vulnerability (CVE-2019-9874). An attacker can exploit this issue to execute arbitrary code on the affected system via a crafted request to the /sitecore/shell/Applications/Layouts/IDE.aspx endpoint.
Template:
id: CVE-2019-9874
info:
name: Sitecore Experience Platform - Deserialization of Untrusted Data
author: ritikchaddha
severity: critical
description: |
Sitecore Experience Platform before 8.2 Update-7 and 9.0 before Update-2 is vulnerable to a remote code execution vulnerability (CVE-2019-9874). An attacker can exploit this issue to execute arbitrary code on the affected system via a crafted request to the
https://dev.sitecore.net/Downloads.aspxhttps://www.synacktiv.com/blog.htmlhttps://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdfhttps://dev.sitecore.net/Downloads.aspxhttps://www.synacktiv.com/blog.htmlhttps://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdfhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9874
2019-05-31
Published
2025-03-26
Added to CISA KEV
Exploited in the wild