Security Vulnerabilities Found in Sitecore Experience Platform
Three significant security vulnerabilities have emerged within the Sitecore Experience Platform, posing risks such as information disclosure and potential remote code execution. These flaws, uncovered by watchTowr Labs, warrant immediate attention from users to safeguard their systems.
Overview of the Vulnerabilities
The identified vulnerabilities include:
- CVE-2025-53693: This issue allows for HTML cache poisoning via unsafe reflections.
- CVE-2025-53691: This vulnerability pertains to remote code execution (RCE) due to insecure deserialization.
- CVE-2025-53694: This flaw results in information disclosure through the ItemService API, where a restricted anonymous user could expose cache keys via a brute-force attack.
Sitecore has proactively addressed the first two vulnerabilities with patches released in June 2025 and tackled the third flaw with a fix in July 2025. The company emphasized that exploiting these vulnerabilities could lead to unauthorized access and potential remote code execution.
Previous Vulnerabilities
These newly reported flaws build on three other vulnerabilities disclosed earlier in June:
- CVE-2025-34509 (CVSS score: 8.2): Involves the use of hard-coded credentials.
- CVE-2025-34510 (CVSS score: 8.8): Enables remote code execution post-authentication via path traversal methods.
- CVE-2025-34511 (CVSS score: 8.8): Concerns post-authenticated remote code execution through the Sitecore PowerShell Extension.
Each of these vulnerabilities had already raised alarm bells within the security community.
Risk Assessment
Piotr Bazydlo, a researcher at watchTowr Labs, noted that the new vulnerabilities could be exploited in combination with previously discovered issues. Particularly concerning is the potential for an exploit chain that starts with the pre-auth HTML cache poisoning vulnerability and concludes with post-authenticated RCE.
Exploitation Process
The exploitation process could unfold as follows:
- A malicious actor could utilize the ItemService API to enumerate HTML cache keys stored within the Sitecore cache easily.
- By sending crafted HTTP cache poisoning requests to these keys, the attacker can manipulate cached information.
- This step can be linked to CVE-2025-53691, where the adversary can introduce malicious HTML code. If executed, this could trigger an unrestricted BinaryFormatter call that results in code execution.
Bazydlo explained, “We found a way to manipulate a tightly controlled reflection path to invoke a method that allows us to poison any HTML cache key. This single vulnerability opened the door for hijacking Sitecore Experience Platform pages, enabling the injection of arbitrary JavaScript to exploit a post-auth RCE vulnerability.”
Importance of Staying Updated
Given these recent discoveries, Sitecore users are urged to apply the latest security patches promptly. Regular updates and audits of security measures are essential to defend against potential exploits enabled by such vulnerabilities. Awareness and swift action can significantly reduce the risk of unauthorized access and data breaches.
In an increasingly digital environment, understanding and addressing potential security weaknesses is critical for maintaining the integrity of web platforms like Sitecore.
