CVE-2025-27218
published 2025-02-20CVE-2025-27218: Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization.
PriorityP181medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
63.56%
99.1th percentile
Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | cbl2_glib_2.60.1-5_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherThumbnailsAccessToken: <base64-encoded BinaryFormatter payload>
bytes
AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAAkA==
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT [CORELIGHT] - CVE-2025-27218 Sitecore unsafe deserialization attempt"; flow:established,to_server; http.header; header_lowercase; content:"thumbnailsaccesstoken|3a 20|"; nocase; content:"AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGF"; fast_pattern; distance:0; reference:url,slcyber.io/blog/sitecore-unsafe-deserialization-again-cve-2025-27218/; reference:cve,2025-27218; classtype:attempted-admin; sid:2060777; rev:2; metadata:attack_target Server, created_at 2025_03_10, cve CVE_2025_27218, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_28, reviewed_at 2025_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit delivers a malicious Base64-encoded BinaryFormatter payload in the HTTP 'ThumbnailsAccessToken' header; inspect all inbound HTTP headers for this field containing Base64 data. ↗
- →The Nuclei template triggers on a DNS interaction via interactsh after sending the payload; OOB/DNS-based detection is viable for confirming exploitation. ↗
- →The Snort/ET rule (sid:2060777) detects the attack by matching the HTTP header name 'thumbnailsaccesstoken' followed by the known BinaryFormatter Base64 prefix 'AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGF' in the same header.
- →The exploit is unauthenticated (PR:N) and targets the root path '/' via a GET request; no prior session or credentials are required to trigger deserialization.
- →A public PoC exploit script exists at exploit-db (EDB-52344) and on GitHub; patch status should be verified against KB1002844 immediately. ↗
- →A Metasploit module exists for this CVE targeting Windows HTTP services; monitor for Metasploit-style User-Agent strings or known MSF payload patterns alongside the ThumbnailsAccessToken header. ↗
- ·The vulnerability is fixed in Sitecore XM/XP 10.4 by applying patch KB1002844; versions 10.1–10.3 are also affected but may require different patch guidance. ↗
- ·CVE-2025-27218 is a standalone deserialization issue (fixed December 2024) and is distinct from the June 2025 watchTowr exploit chain (CVE-2025-34509/34510/34511); do not conflate them. ↗
- ·The CVSS score assigned in the Nuclei template (5.3 Medium, C:L/I:N/A:N) appears inconsistent with the RCE impact described; treat the actual risk as Critical for unpatched instances.
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jx5r-cxfc-c638: Sitecore Experience Manager (XM) and Experience Platform (XP) 10
ghsa_unreviewed·2025-02-20
CVE-2025-27218 [MEDIUM] CWE-94 GHSA-jx5r-cxfc-c638: Sitecore Experience Manager (XM) and Experience Platform (XP) 10
Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization.
VulnCheck
Improper Control of Generation of Code ('Code Injection')
vulncheck·2025·CVSS 5.3
CVE-2025-27218 [MEDIUM] Improper Control of Generation of Code ('Code Injection')
Improper Control of Generation of Code ('Code Injection')
Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization.
Affected: Sitecore Experience Manager (XM) and Experience Platform (XP)
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://isc.sans.edu/diary/rss/31806; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-27218&date=2026-01-03
Microsoft
An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform the length would be truncated modu
vendor_msrc·2021-02-09·CVSS 7.5
CVE-2021-27218 [HIGH] CWE-681 An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform the length would be truncated modu
An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform the length would be truncated modulo 2**32 causing unintended length truncation.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additio
Suricata
ET EXPLOIT [CORELIGHT] - CVE-2025-27218 Sitecore unsafe deserialization attempt
suricata·2025-03-10·CVSS 5.3
CVE-2025-27218 [MEDIUM] ET EXPLOIT [CORELIGHT] - CVE-2025-27218 Sitecore unsafe deserialization attempt
ET EXPLOIT [CORELIGHT] - CVE-2025-27218 Sitecore unsafe deserialization attempt
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT [CORELIGHT] - CVE-2025-27218 Sitecore unsafe deserialization attempt"; flow:established,to_server; http.header; header_lowercase; content:"thumbnailsaccesstoken|3a 20|"; nocase; content:"AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGF"; fast_pattern; distance:0; reference:url,slcyber.io/blog/sitecore-unsafe-deserialization-again-cve-2025-27218/; reference:cve,2025-27218; classtype:attempted-admin; sid:2060777; rev:2; metadata:attack_target Server, created_at 2025_03_10, cve CVE_2025_27218, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_28, reviewed_at 2025_08_06, mitre_tactic_id
Exploit-DB
Sitecore 10.4 - Remote Code Execution (RCE)
exploitdb·2025-06-26·CVSS 5.3
CVE-2025-27218 [MEDIUM] Sitecore 10.4 - Remote Code Execution (RCE)
Sitecore 10.4 - Remote Code Execution (RCE)
---
# Exploit Title: Sitecore 10.4 - Remote Code Execution (RCE)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://developers.sitecore.com/downloads
# Version: Sitecore 10.3 - 10.4
# CVE : CVE-2025-27218
# Link: https://github.com/yealvarez/CVE/blob/main/CVE-2025-27218/exploit.py
from requests import Request, Session
import sys
import base64
def title():
print('''
_______ ________ ___ ___ ___ _____ ___ ______ ___ __ ___
/ ____\ \ / / ____| |__ \ / _ \__ \| ____| |__ \____ |__ \/_ |/ _ \
| | \ \ / /| |__ ______ ) | | | | ) | |__ ______ ) | / / ) || | (_) |
| | \ \/ / | __|______/ /| | | |/ /|___ \______/ / / / / / | |> _ \n' % sys.argv[0])
print('[+] Example: python3 %s https://192.168.0.10\n' % sys.argv[0])
exit(0)
else:
exploit(s
Metasploit
Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit
metasploit·CVSS 5.3
CVE-2025-27218 [MEDIUM] Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit
Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit
This module exploits a .NET deserialization vulnerability in Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 by injecting a malicious Base64-encoded BinaryFormatter payload into an HTTP header.
Nuclei
Sitecore Experience Manager (XM)/Experience Platform (XP) 10.4 - Insecure Deserialization
nuclei·CVSS 5.3
CVE-2025-27218 [MEDIUM] Sitecore Experience Manager (XM)/Experience Platform (XP) 10.4 - Insecure Deserialization
Sitecore Experience Manager (XM)/Experience Platform (XP) 10.4 - Insecure Deserialization
Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization.
Template:
id: CVE-2025-27218
info:
name: Sitecore Experience Manager (XM)/Experience Platform (XP) 10.4 - Insecure Deserialization
author: iamnoooob,rootxharsh,pdresearch
severity: medium
description: |
Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization.
impact: |
Unauthenticated attackers can execute arbitrary code through insecure deserialization in the ThumbnailsAccessToken header, potentially gaining complete control over the Sitecore server.
remediation: |
HackerOne
insecure deserilize object leads to RCE On Sitecore (CVE-██████████-27218)
hackerone·2025-05-12·CVSS 5.3
CVE-2025-27218 [MEDIUM] insecure deserilize object leads to RCE On Sitecore (CVE-██████████-27218)
insecure deserilize object leads to RCE On Sitecore (CVE-██████████-27218)
This critical vulnerability involves an insecure deserialization issue in Sitecore implementation on ██████████ , which has been assigned CVE-2025-27218. The vulnerability allows remote code execution (RCE) through unsanitized user input in the ThumbnailsAccessToken header. Using the BinaryFormatter serialization method, an attacker can create malicious serialized objects with tools like ysoserial.net and execute arbitrary operating system commands on the target server. This poses a severe security risk as it allows complete system compromise, where attackers can create, read, and exfiltrate files, potentially gaining full control of the affected system. The vulnerability has been remediated by removing public acce
Bleepingcomputer
Sitecore CMS exploit chain starts with hardcoded 'b' password
blogs_bleepingcomputer·2025-06-17
Sitecore CMS exploit chain starts with hardcoded 'b' password
## Sitecore CMS exploit chain starts with hardcoded 'b' password
## Bill Toulas
A chain of Sitecore Experience Platform (XP) vulnerabilities allows attackers to perform remote code execution (RCE) without authentication to breach and hijack servers.
Sitecore is a popular enterprise CMS used by businesses to create and manage content across websites and digital media.
Discovered by watchTowr researchers , the pre-auth RCE chain disclosed today consists of three distinct vulnerabilities. It hinges on the presence of an internal user (sitecore\ServicesAPI) with a hardcoded password set to "b", making it trivial to hijack.
This built-in user isn't an admin and has no assigned roles. However, the researchers could still use it to authenticate via an alternate login path (/sitecore/admin) d
Greynoiseio
NoiseLetter March 2025
blogs_greynoiseio
NoiseLetter March 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-02-20
Published
Exploited in the wild