A series of Sitecore Expertise Platform (XP) vulnerabilities permits attackers to carry out distant code execution (RCE) with out authentication to breach and hijack servers.
Sitecore is a well-liked enterprise CMS utilized by companies to create and handle content material throughout web sites and digital media.
Found by watchTowr researchers, the pre-auth RCE chain disclosed right this moment consists of three distinct vulnerabilities. It hinges on the presence of an inner consumer (sitecoreServicesAPI) with a hardcoded password set to “b”, making it trivial to hijack.
This built-in consumer is not an admin and has no assigned roles. Nonetheless, the researchers may nonetheless use it to authenticate through an alternate login path (/sitecore/admin) as a result of Sitecore’s backend-only login checks being bypassed in non-core database contexts.
The result’s a sound “.AspNet.Cookies” session, granting the attacker authenticated entry to inner endpoints protected by IIS-level authorization however not Sitecore position checks.
With this preliminary foothold secured, attackers can exploit the second vulnerability, a Zip Slip flaw in Sitecore’s Add Wizard.
As watchTowr explains, a ZIP file uploaded through the wizard can include a malicious file path like //../webshell.aspx. Attributable to inadequate path sanitization and the best way Sitecore maps paths, this ends in writing arbitrary information into the webroot, even with out data of the complete system path.
This allows the attacker to add a webshell and execute distant code.
A 3rd vulnerability turns into exploitable when the Sitecore PowerShell Extensions (SPE) module is put in (generally bundled with SXA).
This flaw permits an attacker to add arbitrary information to attacker-specified paths, bypassing extension or location restrictions fully and offering an easier path to dependable RCE.
Impression and danger
The three vulnerabilities reported by watchTowr have an effect on Sitecore XP variations 10.1 by means of 10.4.
WatchTowr’s scans present over 22,000 publicly uncovered Sitecore situations, highlighting a big assault floor, although not all are essentially susceptible.
Patches addressing the problems have been made obtainable in Could 2025, however the CVE IDs and technical particulars have been embargoed till June 17, 2025, to provide prospects time to replace.
“Sitecore is deployed throughout 1000’s of environments, together with banks, airways, and world enterprises — so the blast radius right here is huge,” commented watchTowr CEO Benjamin Harris to BleepingComputer.
“And no, this is not theoretical: we have run the complete chain, end-to-end. For those who’re operating Sitecore, it would not worsen than this – rotate creds and patch instantly earlier than attackers inevitably reverse engineer the repair.”
As of writing, there is no such thing as a public proof of exploitation within the wild.
Nonetheless, watchTowr’s technical weblog comprises sufficient element to construct a totally working exploit, so the danger of real-world abuse is imminent.
Patching used to imply complicated scripts, lengthy hours, and infinite fireplace drills. Not anymore.
On this new information, Tines breaks down how trendy IT orgs are leveling up with automation. Patch quicker, scale back overhead, and give attention to strategic work — no complicated scripts required.
