Security Flaws Discovered in Sitecore Experience Platform
Recent investigations have revealed three significant security vulnerabilities in the widely-used Sitecore Experience Platform (XP). These flaws pose serious risks, as they could be exploited together, allowing unauthorized individuals to execute code remotely without needing prior authentication.
Understanding Sitecore Experience Platform
Sitecore XP is an enterprise-level content management system designed to aid businesses in digital marketing, content management, and data analytics. Given its integral role in managing online interactions, any security gaps could jeopardize sensitive information and operational integrity for organizations leveraging this platform.
Overview of the Vulnerabilities
The vulnerabilities identified include:
- CVE-2025-34509 (CVSS score: 8.2) – Hard-coded credentials vulnerability
- CVE-2025-34510 (CVSS score: 8.8) – Remote code execution via a path traversal issue
- CVE-2025-34511 (CVSS score: 8.8) – Remote code execution through Sitecore PowerShell Extension
These vulnerabilities highlight critical security issues that Sitecore users need to address promptly to prevent potential breaches.
The Hard-Coded Credentials Issue
According to research conducted by watchTowr Labs, one of the most glaring vulnerabilities stems from a hard-coded password associated with the default user account “sitecore\ServicesAPI.” This account has a password that is simply the character “b.” Despite Sitecore’s recommendations against altering default credentials, this oversight could easily be exploited.
The account lacks assigned roles and permissions; however, attackers can manipulate this flaw to access the “/sitecore/admin” API endpoint. This access enables them to sign in as “sitecore\ServicesAPI” and secure a legitimate session cookie, which can then be used for further exploitation.
How the Exploit Works
Once an attacker gains access as the “sitecore\ServicesAPI” user, they can take advantage of a vulnerability known as zip slip. This makes it feasible to upload a specially crafted ZIP file containing a malicious web shell through the “/sitecore/shell/Applications/Dialogs/Upload/Upload2.aspx” endpoint. This compounding risk effectively opens the webroot directory to further attacks.
The sequence of actions required for exploitation is as follows:
- Authenticate as the “sitecore\ServicesAPI” user
- Navigate to Upload2.aspx
- Upload the ZIP file containing the web shell
- Select the Unzip option and complete the upload
- Access the web shell to execute commands
PowerShell Extensions Vulnerability
Another significant security flaw lies within the PowerShell Extensions of Sitecore. This vulnerability permits unrestricted file uploads, allowing the “sitecore\ServicesAPI” user to execute remote code via the endpoint “/sitecore%20modules/Shell/PowerShell/UploadFile/PowerShellUploadFile2.aspx.”
WatchTowr Labs indicated that this issue traces back to the Sitecore installer, which included the vulnerable user database with the ServicesAPI password set to “b.” This change took effect in Sitecore version 10.1. Understanding this context is crucial, as users who installed versions prior to 10.1 may not be affected if their previous database has not been migrated.
The Urgency of Immediate Action
With past vulnerabilities in Sitecore XP, such as CVE-2019-9874 and CVE-2019-9875, already facing exploitation, it is paramount for all users to apply the latest security patches and updates promptly. Benjamin Harris, CEO of watchTowr, emphasizes the risk associated with the hard-coded password.
“Thousands of organizations, including banks and airlines, utilize Sitecore, amplifying the risk,” he stated. The call to action is clear: organizations must rotate credentials and implement patches without delay to guard against potential attacks.
Sitecore’s Response
A spokesperson from Sitecore acknowledged the vulnerabilities identified by watchTowr and confirmed ongoing collaboration to mitigate these issues. They also provided a Knowledge Base article outlining patches and remedial steps.
Furthermore, Sitecore indicated that they had resolved prior vulnerabilities highlighted by watchTowr back in February 2025 and advised on-premises customers to act swiftly to implement the provided patches.
(This article was updated following Sitecore’s response.)
