CVE-2019-9875
published 2019-05-31CVE-2019-9875: Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a…
PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-04-16
Exploited in the wild
EPSS
14.15%
96.1th percentile
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sitecore | cms | <= 9.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests containing the __CSRFTOKEN parameter for serialized .NET object payloads (e.g., binary/base64-encoded data inconsistent with a normal CSRF token value), targeting Sitecore CMS/XP endpoints. ↗
- →Focus detection on the Sitecore.Security.AntiCSRF module processing path, as deserialization of untrusted data occurs within this module. ↗
- →Exploitation requires an authenticated session; correlate suspicious __CSRFTOKEN POST activity with valid authenticated Sitecore sessions to prioritize alerts. ↗
- ·Vulnerability affects Sitecore CMS and Experience Platform (XP) through version 9.1; confirm scope of affected versions before applying detections. ↗
- ·Vendor mitigation guidance is available; refer to Sitecore KB0038556 for patch/configuration details before relying solely on detection. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
cisa·2025-03-26·CVSS 8.8
CVE-2019-9875 [HIGH] CWE-502 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
Vulnerability: Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
Affected: Sitecore CMS and Experience Platform (XP)
Sitecore CMS and Experience Platform (XP) contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB0038556 ; https://nvd.nist.gov/vuln/detail/CVE-2019-9875
Remediation Due Date: 2025-04-16
GHSA
GHSA-7gvq-j6pg-875g: Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9
ghsa_unreviewed·2022-05-24
CVE-2019-9875 [HIGH] CWE-502 GHSA-7gvq-j6pg-875g: Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter.
VulnCheck
Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
vulncheck·2019·CVSS 8.8
CVE-2019-9875 [HIGH] CWE-502 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
Sitecore CMS and Experience Platform (XP) contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
Affected: Sitecore CMS and Experience Platform (XP)
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025
Remediation Due: 2025-04-16
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://dev.sitecore.net/Downloads.aspxhttps://www.synacktiv.com/blog.htmlhttps://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdfhttps://dev.sitecore.net/Downloads.aspxhttps://www.synacktiv.com/blog.htmlhttps://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdfhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9875
2019-05-31
Published
2025-03-26
Added to CISA KEV
Exploited in the wild