CVE-2025-34509 (GCVE-0-2025-34509)
Vulnerability from cvelistv5
Published
2025-06-17 18:20
Modified
2025-07-22 13:07
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE
  • CWE-798 - Use of Hard-coded Credentials
Summary
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
References
Impacted products
Vendor Product Version
Sitecore Experience Manager Affected: 10.4 , < 10.4.1 rev. 011941 PRE (custom)
Affected: 10.3 , < 10.3.3 rev. 011967 PRE (custom)
Affected: 10.1 , < 10.1.4 rev. 011974 PRE (custom)
Create a notification for this product.
   Sitecore Experience Platform Affected: 10.4 , < 10.4.1 rev. 011941 PRE (custom)
Affected: 10.3 , < 10.3.3 rev. 011967 PRE (custom)
Affected: 10.1 , < 10.1.4 rev. 011974 PRE (custom)
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-34509",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-17T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-18T03:56:09.729Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Experience Manager",
          "vendor": "Sitecore",
          "versions": [
            {
              "lessThan": "10.4.1 rev. 011941 PRE",
              "status": "affected",
              "version": "10.4",
              "versionType": "custom"
            },
            {
              "lessThan": "10.3.3 rev. 011967 PRE",
              "status": "affected",
              "version": "10.3",
              "versionType": "custom"
            },
            {
              "lessThan": "10.1.4 rev. 011974 PRE",
              "status": "affected",
              "version": "10.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Experience Platform",
          "vendor": "Sitecore",
          "versions": [
            {
              "lessThan": "10.4.1 rev. 011941 PRE",
              "status": "affected",
              "version": "10.4",
              "versionType": "custom"
            },
            {
              "lessThan": "10.3.3 rev. 011967 PRE",
              "status": "affected",
              "version": "10.3",
              "versionType": "custom"
            },
            {
              "lessThan": "10.1.4 rev. 011974 PRE",
              "status": "affected",
              "version": "10.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Piotr Bazydlo of watchTowr"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP."
            }
          ],
          "value": "Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "CWE-798 Use of Hard-coded Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-22T13:07:15.476Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory",
            "exploit",
            "technical-description"
          ],
          "url": "https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003667"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to patched versions."
            }
          ],
          "value": "Update to patched versions."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Sitecore XM and XP Hardcoded Credentials",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2025-34509",
    "datePublished": "2025-06-17T18:20:57.441Z",
    "dateReserved": "2025-04-15T19:15:22.612Z",
    "dateUpdated": "2025-07-22T13:07:15.476Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-34509\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2025-06-17T19:15:31.423\",\"lastModified\":\"2025-09-08T19:17:06.773\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.\"},{\"lang\":\"es\",\"value\":\"Sitecore Experience Manager (XM) y Experience Platform (XP) versiones 10.1 a 10.1.4 rev. 011974 PRE, todas las versiones 10.2, 10.3 a 10.3.3 rev. 011967 PRE y 10.4 a 10.4.1 rev. 011941 PRE contienen una cuenta de usuario codificada. Atacantes remotos no autenticados pueden usar esta cuenta para acceder a la API administrativa a trav\u00e9s de HTTP.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sitecore:experience_commerce:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0\",\"versionEndIncluding\":\"10.4\",\"matchCriteriaId\":\"DCF77DC5-9DF9-4DF7-9636-69CA4BEEDB04\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sitecore:experience_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0\",\"versionEndIncluding\":\"10.4\",\"matchCriteriaId\":\"17EF29D0-E1DA-4F84-95F4-EA9680EB47DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0\",\"versionEndExcluding\":\"10.4\",\"matchCriteriaId\":\"88455751-A525-4A59-9DD8-4E015CD1346C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sitecore:experience_platform:10.4:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"78E71AD1-04C7-4D80-9A0A-E386A3FAC860\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sitecore:managed_cloud:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"520CF670-01A2-479F-B637-C413A82463E0\"}]}]}],\"references\":[{\"url\":\"https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003667\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-34509\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-17T19:43:38.883666Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-17T19:04:47.633Z\"}}], \"cna\": {\"title\": \"Sitecore XM and XP Hardcoded Credentials\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Piotr Bazydlo of watchTowr\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Sitecore\", \"product\": \"Experience Manager\", \"versions\": [{\"status\": \"affected\", \"version\": \"10.4\", \"lessThan\": \"10.4.1 rev. 011941 PRE\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"10.3\", \"lessThan\": \"10.3.3 rev. 011967 PRE\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"10.1\", \"lessThan\": \"10.1.4 rev. 011974 PRE\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Sitecore\", \"product\": \"Experience Platform\", \"versions\": [{\"status\": \"affected\", \"version\": \"10.4\", \"lessThan\": \"10.4.1 rev. 011941 PRE\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"10.3\", \"lessThan\": \"10.3.3 rev. 011967 PRE\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"10.1\", \"lessThan\": \"10.1.4 rev. 011974 PRE\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update to patched versions.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Update to patched versions.\", \"base64\": false}]}], \"references\": [{\"url\": \"https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/\", \"tags\": [\"third-party-advisory\", \"exploit\", \"technical-description\"]}, {\"url\": \"https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003667\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-798\", \"description\": \"CWE-798 Use of Hard-coded Credentials\"}]}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2025-07-22T13:07:15.476Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-34509\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-22T13:07:15.476Z\", \"dateReserved\": \"2025-04-15T19:15:22.612Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2025-06-17T18:20:57.441Z\", \"assignerShortName\": \"VulnCheck\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.