CVE-2025-34509 (GCVE-0-2025-34509)
Vulnerability from cvelistv5
Published
2025-06-17 18:20
Modified
2025-07-22 13:07
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE
  • CWE-798 - Use of Hard-coded Credentials
Summary
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
References
Impacted products
Vendor Product Version
Sitecore Experience Manager Version: 10.4   < 10.4.1 rev. 011941 PRE
Version: 10.3   < 10.3.3 rev. 011967 PRE
Version: 10.1   < 10.1.4 rev. 011974 PRE
 Create a notification for this product.
   Sitecore Experience Platform Version: 10.4   < 10.4.1 rev. 011941 PRE
Version: 10.3   < 10.3.3 rev. 011967 PRE
Version: 10.1   < 10.1.4 rev. 011974 PRE
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-34509",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-17T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-18T03:56:09.729Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Experience Manager",
          "vendor": "Sitecore",
          "versions": [
            {
              "lessThan": "10.4.1 rev. 011941 PRE",
              "status": "affected",
              "version": "10.4",
              "versionType": "custom"
            },
            {
              "lessThan": "10.3.3 rev. 011967 PRE",
              "status": "affected",
              "version": "10.3",
              "versionType": "custom"
            },
            {
              "lessThan": "10.1.4 rev. 011974 PRE",
              "status": "affected",
              "version": "10.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Experience Platform",
          "vendor": "Sitecore",
          "versions": [
            {
              "lessThan": "10.4.1 rev. 011941 PRE",
              "status": "affected",
              "version": "10.4",
              "versionType": "custom"
            },
            {
              "lessThan": "10.3.3 rev. 011967 PRE",
              "status": "affected",
              "version": "10.3",
              "versionType": "custom"
            },
            {
              "lessThan": "10.1.4 rev. 011974 PRE",
              "status": "affected",
              "version": "10.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Piotr Bazydlo of watchTowr"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP."
            }
          ],
          "value": "Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "CWE-798 Use of Hard-coded Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-22T13:07:15.476Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory",
            "exploit",
            "technical-description"
          ],
          "url": "https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003667"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to patched versions."
            }
          ],
          "value": "Update to patched versions."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Sitecore XM and XP Hardcoded Credentials",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2025-34509",
    "datePublished": "2025-06-17T18:20:57.441Z",
    "dateReserved": "2025-04-15T19:15:22.612Z",
    "dateUpdated": "2025-07-22T13:07:15.476Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-34509\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2025-06-17T19:15:31.423\",\"lastModified\":\"2025-07-22T14:15:33.827\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.\"},{\"lang\":\"es\",\"value\":\"Sitecore Experience Manager (XM) y Experience Platform (XP) versiones 10.1 a 10.1.4 rev. 011974 PRE, todas las versiones 10.2, 10.3 a 10.3.3 rev. 011967 PRE y 10.4 a 10.4.1 rev. 011941 PRE contienen una cuenta de usuario codificada. Atacantes remotos no autenticados pueden usar esta cuenta para acceder a la API administrativa a trav\u00e9s de HTTP.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"references\":[{\"url\":\"https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003667\",\"source\":\"disclosure@vulncheck.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-34509\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-17T19:43:38.883666Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-17T19:04:47.633Z\"}}], \"cna\": {\"title\": \"Sitecore XM and XP Hardcoded Credentials\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Piotr Bazydlo of watchTowr\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Sitecore\", \"product\": \"Experience Manager\", \"versions\": [{\"status\": \"affected\", \"version\": \"10.4\", \"lessThan\": \"10.4.1 rev. 011941 PRE\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"10.3\", \"lessThan\": \"10.3.3 rev. 011967 PRE\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"10.1\", \"lessThan\": \"10.1.4 rev. 011974 PRE\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Sitecore\", \"product\": \"Experience Platform\", \"versions\": [{\"status\": \"affected\", \"version\": \"10.4\", \"lessThan\": \"10.4.1 rev. 011941 PRE\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"10.3\", \"lessThan\": \"10.3.3 rev. 011967 PRE\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"10.1\", \"lessThan\": \"10.1.4 rev. 011974 PRE\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update to patched versions.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Update to patched versions.\", \"base64\": false}]}], \"references\": [{\"url\": \"https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/\", \"tags\": [\"third-party-advisory\", \"exploit\", \"technical-description\"]}, {\"url\": \"https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003667\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-798\", \"description\": \"CWE-798 Use of Hard-coded Credentials\"}]}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2025-07-22T13:07:15.476Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-34509\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-22T13:07:15.476Z\", \"dateReserved\": \"2025-04-15T19:15:22.612Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2025-06-17T18:20:57.441Z\", \"assignerShortName\": \"VulnCheck\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.