cbcvebase.
CVE-2019-9874
published 2019-05-31

CVE-2019-9874: Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-04-16
Exploited in the wild
EPSS
83.86%
99.7th percentile
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.

Affected

2 ranges
VendorProductVersion rangeFixed in
sitecorecms7.0 – 7.2
sitecoreexperience_platform7.5 – 8.2

Detection & IOCsextracted from sources · hover to see the quote

path/sitecore/shell/Applications/Security/CreateNewUser/CreateNewUser.aspx
path/sitecore/shell/Applications/Layouts/IDE.aspx
cookie__CSRFCOOKIE
other__CSRFTOKEN (HTTP POST parameter carrying serialized .NET object)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Sitecore CMS CSRFTOKEN Deserialization Remote Code Execution Attempt (CVE-2019-9874)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sitecore/shell/Applications/Security/CreateNewUser/CreateNewUser.aspx"; fast_pattern; http.cookie; content:"|5f 5f|CSRFCOOKIE|3d|"; http.request_body; content:"|5f 5f|CSRFTOKEN|3d|"; startswith; pcre:"/^[a-zA-Z0-9\x2f\x2b\x3d]{32}/R"; reference:cve,2019-9874; reference:url,www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf; classtype:attempted-admin; sid:2061119; rev:2; metadata:affected_product Sitecore_CMS, attack_target Web_Server, tls_state plaintext, created_at 2025_03_26, cve CVE_2019_9874, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_03_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|5f 5f| CSRFCOOKIE |3d| (cookie header bytes)
bytes
|5f 5f| CSRFTOKEN |3d| (request body bytes, startswith)
  • Exploit traffic is an HTTP POST to the CreateNewUser.aspx endpoint with a serialized .NET object in the __CSRFTOKEN body parameter and a __CSRFCOOKIE cookie present. The Snort rule anchors on the body starting with __CSRFTOKEN= followed by ≥32 base64 characters.
  • A vulnerable server will respond with HTTP 500 and a body containing both 'PotentialCsrfException' and 'deserialization', confirming the deserialization code path was reached.
  • The attack is unauthenticated; no session or login cookies are required beyond the crafted __CSRFCOOKIE value. Monitor for POST requests to Sitecore shell paths from unauthenticated sources.
  • Shodan/FOFA fingerprints for exposed Sitecore instances: Shodan query 'http.html:"SitecoSitecore Experience Platform"', FOFA query 'body="Sitecore Experience Platform"'.
  • ·The Snort rule (sid:2061119) targets plaintext HTTP only (tls_state plaintext); HTTPS-wrapped exploitation traffic will not be detected by this rule without TLS inspection.
  • ·The Nuclei template targets the CreateNewUser.aspx endpoint, while the advisory also references IDE.aspx as an exploitation path — detection coverage should include both endpoints.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.