CVE-2025-34511
published 2025-06-17CVE-2025-34511: Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manager (XM) and Experience Platform (XP), through version 7.0 is vulnerable to an…
PriorityP184high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.50%
94.4th percentile
Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manager (XM) and Experience Platform (XP), through version 7.0 is vulnerable to an unrestricted file upload issue. A remote, authenticated attacker can upload arbitrary files to the server using crafted HTTP requests, resulting in remote code execution.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sitecore | experience_commerce | 9.0 – 10.4 | — |
| sitecore | experience_manager | 9.0 – 10.4 | — |
| sitecore | experience_platform | — | — |
| sitecore | experience_platform | >= 9.0 < 10.4 | 10.4 |
| sitecore | powershell_extension | <= 7.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for authentication attempts using the account 'sitecore\ServicesAPI' with the hardcoded password 'b', especially via the /sitecore/admin login path, as this is the initial foothold step in the exploit chain. ↗
- →Detect path traversal sequences (e.g., /../) in file upload requests to Sitecore's Upload Wizard endpoint, which may indicate Zip Slip exploitation (CVE-2025-34510) used as part of the chain leading to webshell placement. ↗
- →Alert on arbitrary file uploads to attacker-specified paths via the Sitecore PowerShell Extensions (SPE) module, particularly .aspx/.ashx files written outside expected upload directories, indicating CVE-2025-34511 exploitation. ↗
- →A Metasploit module exists for this CVE (sitecore_xp_cve_2025_34511); monitor for exploit framework signatures and POST requests consistent with its file upload chain against Sitecore XP 10.1–10.4 instances. ↗
- ·The exploit chain requires the Sitecore PowerShell Extensions (SPE) module to be installed (commonly bundled with SXA) for CVE-2025-34511 to be reachable; environments without SPE are not vulnerable to this specific file upload vector. ↗
- ·Affected versions are Sitecore XP 10.1 through 10.4; patches were made available in May 2025 under Security Bulletin 2025-003. ↗
- ·The hardcoded credential bypass (CVE-2025-34509) works because Sitecore's backend-only login checks are bypassed in non-core database contexts, meaning standard role-based access controls do not block the ServicesAPI account from authenticating via /sitecore/admin. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-74ph-965p-2jc2: Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manager (XM) and Experience Platform (XP), through version 7
ghsa_unreviewed·2025-06-17
CVE-2025-34511 [HIGH] CWE-434 GHSA-74ph-965p-2jc2: Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manager (XM) and Experience Platform (XP), through version 7
Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manager (XM) and Experience Platform (XP), through version 7.0 is vulnerable to an unrestricted file upload issue. A remote, authenticated attacker can upload arbitrary files to the server using crafted HTTP requests, resulting in remote code execution.
VulnCheck
Sitecore experience_commerce Unrestricted Upload of File with Dangerous Type
vulncheck·2025·CVSS 8.8
CVE-2025-34511 [HIGH] Sitecore experience_commerce Unrestricted Upload of File with Dangerous Type
Sitecore experience_commerce Unrestricted Upload of File with Dangerous Type
Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manager (XM) and Experience Platform (XP), through version 7.0 is vulnerable to an unrestricted file upload issue. A remote, authenticated attacker can upload arbitrary files to the server using crafted HTTP requests, resulting in remote code execution.
Affected: Sitecore Experience Manager (XM)/Experience Platform (XP)
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-34511; https://www.crowdsec.net/vulntracking-report/june-2025
No detection rules found.
Wiz
Crying Out Cloud Newsletter - July 2025 | Wiz
blogs_wiz·2025-07-01·CVSS 7.2
[HIGH] Crying Out Cloud Newsletter - July 2025 | Wiz
Cloud security is constantly evolving, and the Wiz Research team is dedicated to keeping you informed. The past month has seen significant vulnerabilities discovered, and there have been a few security incidents affecting cloud users.
We've compiled a shortlist of the most relevant developments. Here are our top picks!
## 🔍 Highlights
## Cryptojacking Campaign Targets Misconfigured DevOps Tools
Wiz Threat Research identified a cryptojacking campaign, attributed to the threat actor JINX-0132, actively exploiting misconfigured and publicly exposed DevOps tools—including HashiCorp Nomad, HashiCorp Consul, Docker, and Gitea—to deploy XMRig-based Monero miners.
JINX-0132 targets exposed Nomad servers lacking ACL protections by submitting malicious jobs through the API, effectively gaining
Checkpoint
23rd June – Threat Intelligence Report
blogs_checkpoint·2025-06-23
CVE-2025-23121 23rd June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd June, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Scania, a Swedish manufacturer of heavy trucks and engines, has suffered a data breach that resulted in the theft of insurance claim documents from its Financial Services systems via compromised credentials of an external IT partner. The stolen data is likely to contain personal, financial, or medical information. The attack ha
Bleepingcomputer
Sitecore CMS exploit chain starts with hardcoded 'b' password
blogs_bleepingcomputer·2025-06-17
Sitecore CMS exploit chain starts with hardcoded 'b' password
## Sitecore CMS exploit chain starts with hardcoded 'b' password
## Bill Toulas
A chain of Sitecore Experience Platform (XP) vulnerabilities allows attackers to perform remote code execution (RCE) without authentication to breach and hijack servers.
Sitecore is a popular enterprise CMS used by businesses to create and manage content across websites and digital media.
Discovered by watchTowr researchers , the pre-auth RCE chain disclosed today consists of three distinct vulnerabilities. It hinges on the presence of an internal user (sitecore\ServicesAPI) with a hardcoded password set to "b", making it trivial to hijack.
This built-in user isn't an admin and has no assigned roles. However, the researchers could still use it to authenticate via an alternate login path (/sitecore/admin) d
Greynoiseio
NoiseLetter July 2025
blogs_greynoiseio
NoiseLetter July 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-06-17
Published
Exploited in the wild