CVE-2025-34509
published 2025-06-17CVE-2025-34509: Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE…
PriorityP185high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
38.43%
98.4th percentile
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sitecore | experience_commerce | 9.0 – 10.4 | — |
| sitecore | experience_manager | >= 10.1 < 10.1.4 rev. 011974 PRE | 10.1.4 rev. 011974 PRE |
| sitecore | experience_manager | >= 10.3 < 10.3.3 rev. 011967 PRE | 10.3.3 rev. 011967 PRE |
| sitecore | experience_manager | >= 10.4 < 10.4.1 rev. 011941 PRE | 10.4.1 rev. 011941 PRE |
| sitecore | experience_manager | 9.0 – 10.4 | — |
| sitecore | experience_platform | — | — |
| sitecore | experience_platform | >= 10.1 < 10.1.4 rev. 011974 PRE | 10.1.4 rev. 011974 PRE |
| sitecore | experience_platform | >= 10.3 < 10.3.3 rev. 011967 PRE | 10.3.3 rev. 011967 PRE |
| sitecore | experience_platform | >= 10.4 < 10.4.1 rev. 011941 PRE | 10.4.1 rev. 011941 PRE |
| sitecore | experience_platform | >= 9.0 < 10.4 | 10.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →A successful exploitation results in a Set-Cookie response header containing '.AspNet.Cookies=' on a 200 OK response to the /sitecore/api/ssc/auth/login endpoint — monitor for this pattern from unauthenticated/external sources. ↗
- →Monitor for Zip Slip path traversal patterns (e.g., /\/../webshell.aspx) in Sitecore Upload Wizard requests, which indicate the second stage of the exploit chain (CVE-2025-34510) following hardcoded credential abuse. ↗
- →Shodan query 'title:"sitecore"' can be used to identify publicly exposed Sitecore instances; over 22,000 were found exposed, representing the attack surface for this vulnerability. ↗
- →The exploit chain is also weaponized via Metasploit modules targeting CVE-2025-34510 and CVE-2025-34511, both of which leverage CVE-2025-34509 hardcoded credentials as the initial foothold — monitor for Metasploit-characteristic HTTP patterns against Sitecore endpoints. ↗
- ·The hardcoded account 'sitecore\ServicesAPI' has no assigned roles and is not an admin by default, but the login check bypass via /sitecore/admin in non-core database contexts elevates its effective access. Defenders should not rely on role-absence as a mitigation. ↗
- ·The third vulnerability (CVE-2025-34511) is only exploitable when the Sitecore PowerShell Extensions (SPE) module is installed, which is commonly bundled with SXA. Environments without SPE are not exposed to that specific RCE path but remain vulnerable to CVE-2025-34509 and CVE-2025-34510. ↗
- ·Affected versions span a wide range: XM/XP 10.1 through 10.4.1 (specific revision cutoffs apply). Not all 22,000+ publicly exposed Sitecore instances are necessarily vulnerable — version verification is required. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g93f-92gj-4q4x: Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10
ghsa_unreviewed·2025-06-17
CVE-2025-34509 [HIGH] CWE-798 GHSA-g93f-92gj-4q4x: Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
VulnCheck
Sitecore experience_commerce Use of Hard-coded Credentials
vulncheck·2025·CVSS 7.5
CVE-2025-34509 [HIGH] Sitecore experience_commerce Use of Hard-coded Credentials
Sitecore experience_commerce Use of Hard-coded Credentials
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
Affected: Sitecore Experience Manager (XM)/Experience Platform (XP)
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-34509; https://www.crowdsec.net/vulntracking-report/june-2025; https://api.vulncheck.com/v3/index/vulncheck-canar
No detection rules found.
Nuclei
Sitecore Experience Manager (XM) and Experience Platform (XP) - Hardcoded Credentials
nuclei·CVSS 7.5
CVE-2025-34509 [HIGH] Sitecore Experience Manager (XM) and Experience Platform (XP) - Hardcoded Credentials
Sitecore Experience Manager (XM) and Experience Platform (XP) - Hardcoded Credentials
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
Template:
id: CVE-2025-34509
info:
name: Sitecore Experience Manager (XM) and Experience Platform (XP) - Hardcoded Credentials
author: daffainfo
severity: high
description: |
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded
Metasploit
Sitecore XP CVE-2025-34511 Post-Authentication File Upload
metasploit·CVSS 7.5
CVE-2025-34511 [HIGH] Sitecore XP CVE-2025-34511 Post-Authentication File Upload
Sitecore XP CVE-2025-34511 Post-Authentication File Upload
This module exploits CVE-2025-34511, a file upload vulnerability in PowerShell extensions. The module exploits also CVE-2025-34509 - hardcoded credentials of ServicesAPI account - to gain foothold.
Metasploit
Sitecore XP CVE-2025-34510 Post-Authentication Remote Code Execution
metasploit·CVSS 7.5
CVE-2025-34510 [HIGH] Sitecore XP CVE-2025-34510 Post-Authentication Remote Code Execution
Sitecore XP CVE-2025-34510 Post-Authentication Remote Code Execution
This module exploits CVE-2025-34510, path traversal leading to remote code execution. The module exploits also CVE-2025-34509 - hardcoded credentials of ServicesAPI account - to gain foothold.
Wiz
Crying Out Cloud Newsletter - July 2025 | Wiz
blogs_wiz·2025-07-01·CVSS 7.2
[HIGH] Crying Out Cloud Newsletter - July 2025 | Wiz
Cloud security is constantly evolving, and the Wiz Research team is dedicated to keeping you informed. The past month has seen significant vulnerabilities discovered, and there have been a few security incidents affecting cloud users.
We've compiled a shortlist of the most relevant developments. Here are our top picks!
## 🔍 Highlights
## Cryptojacking Campaign Targets Misconfigured DevOps Tools
Wiz Threat Research identified a cryptojacking campaign, attributed to the threat actor JINX-0132, actively exploiting misconfigured and publicly exposed DevOps tools—including HashiCorp Nomad, HashiCorp Consul, Docker, and Gitea—to deploy XMRig-based Monero miners.
JINX-0132 targets exposed Nomad servers lacking ACL protections by submitting malicious jobs through the API, effectively gaining
Checkpoint
23rd June – Threat Intelligence Report
blogs_checkpoint·2025-06-23
CVE-2025-23121 23rd June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd June, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Scania, a Swedish manufacturer of heavy trucks and engines, has suffered a data breach that resulted in the theft of insurance claim documents from its Financial Services systems via compromised credentials of an external IT partner. The stolen data is likely to contain personal, financial, or medical information. The attack ha
Bleepingcomputer
Sitecore CMS exploit chain starts with hardcoded 'b' password
blogs_bleepingcomputer·2025-06-17
Sitecore CMS exploit chain starts with hardcoded 'b' password
## Sitecore CMS exploit chain starts with hardcoded 'b' password
## Bill Toulas
A chain of Sitecore Experience Platform (XP) vulnerabilities allows attackers to perform remote code execution (RCE) without authentication to breach and hijack servers.
Sitecore is a popular enterprise CMS used by businesses to create and manage content across websites and digital media.
Discovered by watchTowr researchers , the pre-auth RCE chain disclosed today consists of three distinct vulnerabilities. It hinges on the presence of an internal user (sitecore\ServicesAPI) with a hardcoded password set to "b", making it trivial to hijack.
This built-in user isn't an admin and has no assigned roles. However, the researchers could still use it to authenticate via an alternate login path (/sitecore/admin) d
Greynoiseio
NoiseLetter July 2025
blogs_greynoiseio
NoiseLetter July 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-06-17
Published
Exploited in the wild