cbcvebase.
CVE-2025-27218
published 2025-02-20

CVE-2025-27218: Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization.

PriorityP181medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
63.56%
99.1th percentile
Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization.

Affected

1 ranges
VendorProductVersion rangeFixed in
msrccbl2_glib_2.60.1-5_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

otherThumbnailsAccessToken
otherThumbnailsAccessToken: <base64-encoded BinaryFormatter payload>
bytes
AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAAkA==
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT [CORELIGHT] - CVE-2025-27218 Sitecore unsafe deserialization attempt"; flow:established,to_server; http.header; header_lowercase; content:"thumbnailsaccesstoken|3a 20|"; nocase; content:"AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGF"; fast_pattern; distance:0; reference:url,slcyber.io/blog/sitecore-unsafe-deserialization-again-cve-2025-27218/; reference:cve,2025-27218; classtype:attempted-admin; sid:2060777; rev:2; metadata:attack_target Server, created_at 2025_03_10, cve CVE_2025_27218, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_28, reviewed_at 2025_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit delivers a malicious Base64-encoded BinaryFormatter payload in the HTTP 'ThumbnailsAccessToken' header; inspect all inbound HTTP headers for this field containing Base64 data.
  • The Nuclei template triggers on a DNS interaction via interactsh after sending the payload; OOB/DNS-based detection is viable for confirming exploitation.
  • The Snort/ET rule (sid:2060777) detects the attack by matching the HTTP header name 'thumbnailsaccesstoken' followed by the known BinaryFormatter Base64 prefix 'AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGF' in the same header.
  • The exploit is unauthenticated (PR:N) and targets the root path '/' via a GET request; no prior session or credentials are required to trigger deserialization.
  • A public PoC exploit script exists at exploit-db (EDB-52344) and on GitHub; patch status should be verified against KB1002844 immediately.
  • A Metasploit module exists for this CVE targeting Windows HTTP services; monitor for Metasploit-style User-Agent strings or known MSF payload patterns alongside the ThumbnailsAccessToken header.
  • ·The vulnerability is fixed in Sitecore XM/XP 10.4 by applying patch KB1002844; versions 10.1–10.3 are also affected but may require different patch guidance.
  • ·CVE-2025-27218 is a standalone deserialization issue (fixed December 2024) and is distinct from the June 2025 watchTowr exploit chain (CVE-2025-34509/34510/34511); do not conflate them.
  • ·The CVSS score assigned in the Nuclei template (5.3 Medium, C:L/I:N/A:N) appears inconsistent with the RCE impact described; treat the actual risk as Critical for unpatched instances.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.