CISA reports actively exploited Sitecore CMS Vulnerabilities
Take action: If you are running Sitecore CMS and Experience Platform, and you haven't patched it since 2019, time to do it ASAP. Hackers are exploiting actively, and you can't really isolate a CMS - it's designed to be accessible from the internet.
Learn More
The Cybersecurity and Infrastructure Security Agency (CISA) has added two Sitecore CMS deserialization vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation in the wild.
Vulnerabilities summary
- CVE-2019-9874 (CVSS score 9.8) - Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
- CVE-2019-9875 (CVSS score 8.8) - Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
Both vulnerabilities could result in arbitrary code execution if successfully exploited. The deserialization flaws represent a common attack vector frequently utilized by malicious cyber actors targeting enterprises and government systems.
CISA has ordered federal agencies to address these vulnerabilities by April 16, 2025, in accordance with Binding Operational Directive (BOD) 22-01. The directive established the KEV Catalog as a living list of Common Vulnerabilities and Exposures (CVEs) that present significant risk to the federal enterprise.
While BOD 22-01 specifically applies to Federal Civilian Executive Branch (FCEB) agencies, CISA strongly urges all organizations to prioritize remediation of these cataloged vulnerabilities as part of their vulnerability management practices.
