The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added two six-year-old security flaws impacting Sitecore CMS and Expertise Platform (XP) to its Recognized Exploited Vulnerabilities (KEV) catalog, primarily based on proof of energetic exploitation.
The vulnerabilities are listed beneath –
- CVE-2019-9874 (CVSS rating: 9.8) – A deserialization vulnerability within the Sitecore.Safety.AntiCSRF module that permits an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object within the HTTP POST parameter __CSRFTOKEN
- CVE-2019-9875 (CVSS rating: 8.8) – A deserialization vulnerability within the Sitecore.Safety.AntiCSRF module that permits an authenticated attacker to execute arbitrary code by sending a serialized .NET object within the HTTP POST parameter __CSRFTOKEN
There are at the moment no particulars on how the failings are being weaponized within the wild and by whom, though SiteCore in an replace shared on March 30, 2020, stated it grew to become “conscious of energetic exploitation” of CVE-2019-9874. The corporate makes no point out of CVE-2019-9875 being exploited.
In mild of energetic exploitation, federal companies are required to use the required patches by April 16, 2025, to safe their networks.
The event comes as Akamai stated it has noticed preliminary exploit makes an attempt probing potential servers for a newly disclosed security flaw impacting the Subsequent.js net framework (CVE‑2025‑29927, CVSS rating: 9.1).
An authorization bypass vulnerability, a profitable exploitation may allow an attacker to get round middleware-based security checks by spoofing a header referred to as “x‑middleware‑subrequest” that is used to handle inner request flows. This, in flip, may allow unauthorized entry to delicate utility sources, Checkmarx’s Raphael Silva stated.
“Among the many recognized payloads, one notable method entails utilizing the x-middleware-request header with the worth src/middleware:src/middleware:src/middleware:src/middleware:src/middleware,” the online infrastructure firm stated.
“This strategy simulates a number of inner subrequests inside a single request, triggering Subsequent.js’s inner redirect logic — intently resembling a number of publicly out there proof-of-concept exploits.”
The disclosures additionally observe a warning from GreyNoise about energetic exploitation makes an attempt recorded towards a number of identified vulnerabilities in DrayTek gadgets.
The menace intelligence agency stated it has seen noticed in-the-wild exercise towards the beneath CVE identifiers –
- CVE-2020-8515 (CVSS rating: 9.8) — An working system command injection vulnerability in a number of DrayTek router fashions that would permit distant code execution as root by way of shell metacharacters to the cgi-bin/mainfunction.cgi URI
- CVE-2021-20123 (CVSS rating: 7.5) — An area file inclusion vulnerability in DrayTek VigorConnect that would permit an unauthenticated attacker to obtain arbitrary information from the underlying working system with root privileges by way of the DownloadFileServlet endpoint
- CVE-2021-20124 (CVSS rating: 7.5) — An area file inclusion vulnerability in DrayTek VigorConnect that would permit an unauthenticated attacker to obtain arbitrary information from the underlying working system with root privileges by way of the WebServlet endpoint
Indonesia, Hong Kong, and the US have emerged as the highest vacation spot international locations of the assault site visitors for CVE-2020-8515, whereas Lithuania, the US, and Singapore have been singled out as a part of assaults exploiting CVE-2021-20123 and CVE-2021-20124.
