A series of Sitecore Expertise Platform (XP) vulnerabilities permits attackers to carry out distant code execution (RCE) with out authentication to breach and hijack servers.
Sitecore is a well-liked enterprise CMS utilized by companies to create and handle content material throughout web sites and digital media.
Found by watchTowr researchers, the pre-auth RCE chain disclosed immediately consists of three distinct vulnerabilities. It hinges on the presence of an inside consumer (sitecoreServicesAPI) with a hardcoded password set to “b”, making it trivial to hijack.
This built-in consumer is not an admin and has no assigned roles. Nevertheless, the researchers might nonetheless use it to authenticate through an alternate login path (/sitecore/admin) attributable to Sitecore’s backend-only login checks being bypassed in non-core database contexts.
The result’s a sound “.AspNet.Cookies” session, granting the attacker authenticated entry to inside endpoints protected by IIS-level authorization however not Sitecore position checks.
With this preliminary foothold secured, attackers can exploit the second vulnerability, a Zip Slip flaw in Sitecore’s Add Wizard.
As watchTowr explains, a ZIP file uploaded through the wizard can include a malicious file path like //../webshell.aspx
. Resulting from inadequate path sanitization and the way in which Sitecore maps paths, this leads to writing arbitrary information into the webroot, even with out data of the total system path.
This allows the attacker to add a webshell and execute distant code.
A 3rd vulnerability turns into exploitable when the Sitecore PowerShell Extensions (SPE) module is put in (generally bundled with SXA).
This flaw permits an attacker to add arbitrary information to attacker-specified paths, bypassing extension or location restrictions solely and offering an easier path to dependable RCE.
Influence and danger
The three vulnerabilities reported by watchTowr have an effect on Sitecore XP variations 10.1 via 10.4.
WatchTowr’s scans present over 22,000 publicly uncovered Sitecore situations, highlighting a big assault floor, although not all are essentially susceptible.
Patches addressing the problems have been made obtainable in Might 2025, however the CVE IDs and technical particulars have been embargoed till June 17, 2025, to offer prospects time to replace.
“Sitecore is deployed throughout hundreds of environments, together with banks, airways, and international enterprises — so the blast radius right here is very large,” commented watchTowr CEO Benjamin Harris to BleepingComputer.
“And no, this is not theoretical: we have run the total chain, end-to-end. In case you’re working Sitecore, it does not worsen than this – rotate creds and patch instantly earlier than attackers inevitably reverse engineer the repair.”
As of writing, there isn’t any public proof of exploitation within the wild.
Nevertheless, watchTowr’s technical weblog accommodates sufficient element to construct a completely working exploit, so the chance of real-world abuse is imminent.
Patching used to imply complicated scripts, lengthy hours, and limitless fireplace drills. Not anymore.
On this new information, Tines breaks down how trendy IT orgs are leveling up with automation. Patch quicker, scale back overhead, and give attention to strategic work — no complicated scripts required.