Pre-authentication remote code execution exploit chain reported in Sitecore Experience platform
Take action: If you are running Sitecore Experience Platform, update to latest version IMMEDIATELY. These flaws let attackers gain full control of your content management system with just knowledge of a single-character password "b" that's been embedded in installations since version 10.1.
Learn More
Security researchers are reporting a vulnerability exploit chain in Sitecore Experience Platform that enables unauthenticated attackers to achieve complete remote code execution on enterprise content management systems.
Sitecore Experience Platform is deployed across major corporations, including banks, airlines, and Fortune 500 companies. The platform's deep integration into organizational digital infrastructure means successful exploitation could provide attackers with extensive access to sensitive corporate data and the ability to disrupt critical business operations.
The vulnerabilities were discovered by watchTowr Labs and reported on June 17, 2025, including hardcoded credentials and unsafe file handling mechanisms that can be chained together to compromise the platform.
Vulnerabilities summary
- CVE-2025-34509 (CVSS score 8.2) - hardcoded credentials for the internal sitecore\ServicesAPI user account, which has a trivially guessable single-character password "b". This password has been embedded in Sitecore installers since version 10.1, creating a widespread authentication weakness across enterprise deployments. The vulnerability allows unauthenticated attackers to bypass authentication checks by leveraging an alternate login path through the /sitecore/admin endpoint, which bypasses backend-only login restrictions when accessing non-core database contexts.
- CVE-2025-34510 (CVSS score 8.8) - remote code execution vulnerability through a ZIP slip attack in Sitecore's Upload Wizard functionality. Attackers authenticated as the ServicesAPI user can upload specially crafted ZIP archives containing malicious file paths like "//../webshell.aspx" that exploit insufficient path sanitization.
- CVE-2025-34511 (CVSS score 8.8) - remote code execution flaw in the Sitecore PowerShell Extension module. When installed (commonly bundled with Sitecore SXA), this vulnerability allows authenticated users to upload arbitrary files to attacker-specified paths through the PowerShellUploadFile2.aspx endpoint, completely bypassing extension restrictions and location controls. This provides a simpler alternative route to reliable remote code execution for attackers who have gained initial authentication through the hardcoded credentials.
Affected versions:
Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by the vulnerability chain.
The hardcoded credentials issue specifically impacts installations using Sitecore version 10.1 and later, as earlier versions contained different password hashes that proved more resistant to brute force attacks during the researchers' analysis.
Organizations that performed fresh installations using vulnerable installers are at highest risk, while those that migrated from older versions and retained existing databases may not be affected by the authentication bypass component.
Patched versions
Sitecore has released patches addressing all vulnerabilities in the chain, with fixes becoming available in May 2025. Organizations should immediately upgrade to the latest patched versions and implement additional security measures including credential rotation for all internal service accounts.
The vendor strongly advises against modifying default user accounts due to potential impacts on the security model, creating a complex remediation challenge for organizations.
