CVE-2025-34510
published 2025-06-17CVE-2025-34510: Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip…
PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.31%
94.8th percentile
Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sitecore | experience_commerce | 10.0 – 10.4 | — |
| sitecore | experience_commerce | 9.0 – 10.4 | — |
| sitecore | experience_manager | 10.0 – 10.4 | — |
| sitecore | experience_manager | 9.0 – 10.4 | — |
| sitecore | experience_platform | — | — |
| sitecore | experience_platform | 10.0 – 10.4 | — |
| sitecore | experience_platform | >= 9.0 < 10.4 | 10.4 |
| sitecore | experience_platform | 9.0 – 9.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP requests uploading ZIP archives containing path traversal sequences (e.g., '../' or '/\../') to Sitecore Upload Wizard endpoints, which may indicate exploitation of the Zip Slip vulnerability. ↗
- →Alert on authentication attempts to /sitecore/admin using the built-in 'sitecore\ServicesAPI' account (password 'b'), which is the first step in the pre-auth RCE chain (CVE-2025-34509 chained with CVE-2025-34510). ↗
- →Detect creation of .aspx files in unexpected web-accessible directories outside of normal deployment paths, which may indicate a webshell dropped via the Zip Slip path traversal. ↗
- →A Metasploit module exists for this CVE (chained with CVE-2025-34509); monitor for exploit framework signatures targeting Sitecore XP HTTP endpoints on Windows hosts. ↗
- →Monitor for issuance of .AspNet.Cookies session tokens originating from the /sitecore/admin login path for the ServicesAPI account, as this indicates a successful authentication bypass leading to the Zip Slip exploit stage. ↗
- ·The Zip Slip RCE (CVE-2025-34510) affects Sitecore XP versions 10.1 through 10.4 in the exploit chain context, though NVD lists the broader range as 9.0–9.3 and 10.0–10.4. Verify exact version scope against Sitecore Security Bulletin 2025-003. ↗
- ·As of the disclosure date (June 17, 2025), no public exploitation in the wild had been confirmed, but watchTowr's technical blog contains sufficient detail to build a fully working exploit, making real-world abuse imminent. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mh69-97fr-wj66: Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9
ghsa_unreviewed·2025-06-17
CVE-2025-34510 [HIGH] CWE-23 GHSA-mh69-97fr-wj66: Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9
Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.
VulnCheck
Sitecore experience_commerce Relative Path Traversal
vulncheck·2025·CVSS 8.8
CVE-2025-34510 [HIGH] Sitecore experience_commerce Relative Path Traversal
Sitecore experience_commerce Relative Path Traversal
Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.
Affected: Sitecore Experience Manager (XM)/Experience Platform (XP)/Experience Commerce (XC)
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-34510; https://www.crowdsec
No detection rules found.
Wiz
Crying Out Cloud Newsletter - July 2025 | Wiz
blogs_wiz·2025-07-01·CVSS 7.2
[HIGH] Crying Out Cloud Newsletter - July 2025 | Wiz
Cloud security is constantly evolving, and the Wiz Research team is dedicated to keeping you informed. The past month has seen significant vulnerabilities discovered, and there have been a few security incidents affecting cloud users.
We've compiled a shortlist of the most relevant developments. Here are our top picks!
## 🔍 Highlights
## Cryptojacking Campaign Targets Misconfigured DevOps Tools
Wiz Threat Research identified a cryptojacking campaign, attributed to the threat actor JINX-0132, actively exploiting misconfigured and publicly exposed DevOps tools—including HashiCorp Nomad, HashiCorp Consul, Docker, and Gitea—to deploy XMRig-based Monero miners.
JINX-0132 targets exposed Nomad servers lacking ACL protections by submitting malicious jobs through the API, effectively gaining
Checkpoint
23rd June – Threat Intelligence Report
blogs_checkpoint·2025-06-23
CVE-2025-23121 23rd June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd June, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Scania, a Swedish manufacturer of heavy trucks and engines, has suffered a data breach that resulted in the theft of insurance claim documents from its Financial Services systems via compromised credentials of an external IT partner. The stolen data is likely to contain personal, financial, or medical information. The attack ha
Bleepingcomputer
Sitecore CMS exploit chain starts with hardcoded 'b' password
blogs_bleepingcomputer·2025-06-17
Sitecore CMS exploit chain starts with hardcoded 'b' password
## Sitecore CMS exploit chain starts with hardcoded 'b' password
## Bill Toulas
A chain of Sitecore Experience Platform (XP) vulnerabilities allows attackers to perform remote code execution (RCE) without authentication to breach and hijack servers.
Sitecore is a popular enterprise CMS used by businesses to create and manage content across websites and digital media.
Discovered by watchTowr researchers , the pre-auth RCE chain disclosed today consists of three distinct vulnerabilities. It hinges on the presence of an internal user (sitecore\ServicesAPI) with a hardcoded password set to "b", making it trivial to hijack.
This built-in user isn't an admin and has no assigned roles. However, the researchers could still use it to authenticate via an alternate login path (/sitecore/admin) d
Greynoiseio
NoiseLetter July 2025
blogs_greynoiseio
NoiseLetter July 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-06-17
Published
Exploited in the wild