cbcvebase.
CVE-2025-34510
published 2025-06-17

CVE-2025-34510: Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip…

PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.31%
94.8th percentile
Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.

Affected

8 ranges
VendorProductVersion rangeFixed in
sitecoreexperience_commerce10.0 – 10.4
sitecoreexperience_commerce9.0 – 10.4
sitecoreexperience_manager10.0 – 10.4
sitecoreexperience_manager9.0 – 10.4
sitecoreexperience_platform
sitecoreexperience_platform10.0 – 10.4
sitecoreexperience_platform>= 9.0 < 10.410.4
sitecoreexperience_platform9.0 – 9.3

Detection & IOCsextracted from sources · hover to see the quote

path/sitecore/admin
cookie.AspNet.Cookies
othersitecore\ServicesAPI
  • Monitor for HTTP requests uploading ZIP archives containing path traversal sequences (e.g., '../' or '/\../') to Sitecore Upload Wizard endpoints, which may indicate exploitation of the Zip Slip vulnerability.
  • Alert on authentication attempts to /sitecore/admin using the built-in 'sitecore\ServicesAPI' account (password 'b'), which is the first step in the pre-auth RCE chain (CVE-2025-34509 chained with CVE-2025-34510).
  • Detect creation of .aspx files in unexpected web-accessible directories outside of normal deployment paths, which may indicate a webshell dropped via the Zip Slip path traversal.
  • A Metasploit module exists for this CVE (chained with CVE-2025-34509); monitor for exploit framework signatures targeting Sitecore XP HTTP endpoints on Windows hosts.
  • Monitor for issuance of .AspNet.Cookies session tokens originating from the /sitecore/admin login path for the ServicesAPI account, as this indicates a successful authentication bypass leading to the Zip Slip exploit stage.
  • ·The Zip Slip RCE (CVE-2025-34510) affects Sitecore XP versions 10.1 through 10.4 in the exploit chain context, though NVD lists the broader range as 9.0–9.3 and 10.0–10.4. Verify exact version scope against Sitecore Security Bulletin 2025-003.
  • ·As of the disclosure date (June 17, 2025), no public exploitation in the wild had been confirmed, but watchTowr's technical blog contains sufficient detail to build a fully working exploit, making real-world abuse imminent.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.