cbcvebase.
CVE-2025-34511
published 2025-06-17

CVE-2025-34511: Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manager (XM) and Experience Platform (XP), through version 7.0 is vulnerable to an…

PriorityP184high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.50%
94.4th percentile
Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manager (XM) and Experience Platform (XP), through version 7.0 is vulnerable to an unrestricted file upload issue. A remote, authenticated attacker can upload arbitrary files to the server using crafted HTTP requests, resulting in remote code execution.

Affected

5 ranges
VendorProductVersion rangeFixed in
sitecoreexperience_commerce9.0 – 10.4
sitecoreexperience_manager9.0 – 10.4
sitecoreexperience_platform
sitecoreexperience_platform>= 9.0 < 10.410.4
sitecorepowershell_extension<= 7.0

Detection & IOCsextracted from sources · hover to see the quote

url/sitecore/admin
cookie.AspNet.Cookies
path/\..\/webshell.aspx
othersitecore\ServicesAPI
  • Monitor for authentication attempts using the account 'sitecore\ServicesAPI' with the hardcoded password 'b', especially via the /sitecore/admin login path, as this is the initial foothold step in the exploit chain.
  • Detect path traversal sequences (e.g., /../) in file upload requests to Sitecore's Upload Wizard endpoint, which may indicate Zip Slip exploitation (CVE-2025-34510) used as part of the chain leading to webshell placement.
  • Alert on arbitrary file uploads to attacker-specified paths via the Sitecore PowerShell Extensions (SPE) module, particularly .aspx/.ashx files written outside expected upload directories, indicating CVE-2025-34511 exploitation.
  • A Metasploit module exists for this CVE (sitecore_xp_cve_2025_34511); monitor for exploit framework signatures and POST requests consistent with its file upload chain against Sitecore XP 10.1–10.4 instances.
  • ·The exploit chain requires the Sitecore PowerShell Extensions (SPE) module to be installed (commonly bundled with SXA) for CVE-2025-34511 to be reachable; environments without SPE are not vulnerable to this specific file upload vector.
  • ·Affected versions are Sitecore XP 10.1 through 10.4; patches were made available in May 2025 under Security Bulletin 2025-003.
  • ·The hardcoded credential bypass (CVE-2025-34509) works because Sitecore's backend-only login checks are bypassed in non-core database contexts, meaning standard role-based access controls do not block the ServicesAPI account from authenticating via /sitecore/admin.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.