cbcvebase.
CVE-2025-34509
published 2025-06-17

CVE-2025-34509: Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE…

PriorityP185high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
38.43%
98.4th percentile
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.

Affected

10 ranges
VendorProductVersion rangeFixed in
sitecoreexperience_commerce9.0 – 10.4
sitecoreexperience_manager>= 10.1 < 10.1.4 rev. 011974 PRE10.1.4 rev. 011974 PRE
sitecoreexperience_manager>= 10.3 < 10.3.3 rev. 011967 PRE10.3.3 rev. 011967 PRE
sitecoreexperience_manager>= 10.4 < 10.4.1 rev. 011941 PRE10.4.1 rev. 011941 PRE
sitecoreexperience_manager9.0 – 10.4
sitecoreexperience_platform
sitecoreexperience_platform>= 10.1 < 10.1.4 rev. 011974 PRE10.1.4 rev. 011974 PRE
sitecoreexperience_platform>= 10.3 < 10.3.3 rev. 011967 PRE10.3.3 rev. 011967 PRE
sitecoreexperience_platform>= 10.4 < 10.4.1 rev. 011941 PRE10.4.1 rev. 011941 PRE
sitecoreexperience_platform>= 9.0 < 10.410.4

Detection & IOCsextracted from sources · hover to see the quote

url/sitecore/api/ssc/auth/login
url/sitecore/admin
cookie.AspNet.Cookies
otherusername: sitecore\ServicesAPI, password: b
command{"domain":"sitecore","username":"ServicesAPI","password":"b"}
path/\../webshell.aspx
  • A successful exploitation results in a Set-Cookie response header containing '.AspNet.Cookies=' on a 200 OK response to the /sitecore/api/ssc/auth/login endpoint — monitor for this pattern from unauthenticated/external sources.
  • Monitor for Zip Slip path traversal patterns (e.g., /\/../webshell.aspx) in Sitecore Upload Wizard requests, which indicate the second stage of the exploit chain (CVE-2025-34510) following hardcoded credential abuse.
  • Shodan query 'title:"sitecore"' can be used to identify publicly exposed Sitecore instances; over 22,000 were found exposed, representing the attack surface for this vulnerability.
  • The exploit chain is also weaponized via Metasploit modules targeting CVE-2025-34510 and CVE-2025-34511, both of which leverage CVE-2025-34509 hardcoded credentials as the initial foothold — monitor for Metasploit-characteristic HTTP patterns against Sitecore endpoints.
  • ·The hardcoded account 'sitecore\ServicesAPI' has no assigned roles and is not an admin by default, but the login check bypass via /sitecore/admin in non-core database contexts elevates its effective access. Defenders should not rely on role-absence as a mitigation.
  • ·The third vulnerability (CVE-2025-34511) is only exploitable when the Sitecore PowerShell Extensions (SPE) module is installed, which is commonly bundled with SXA. Environments without SPE are not exposed to that specific RCE path but remain vulnerable to CVE-2025-34509 and CVE-2025-34510.
  • ·Affected versions span a wide range: XM/XP 10.1 through 10.4.1 (specific revision cutoffs apply). Not all 22,000+ publicly exposed Sitecore instances are necessarily vulnerable — version verification is required.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.