Researchers Warn of Sitecore Exploit Chain Linking Cache Poisoning and Remote Code Execution

Researchers Warn of Sitecore Exploit Chain Linking Cache Poisoning and Remote Code Execution

Posted on By CWS

Aug 29, 2025Ravie LakshmananVulnerability / Internet Safety
Three new safety vulnerabilities have been disclosed within the Sitecore Expertise Platform that could possibly be exploited to realize data disclosure and distant code execution.
The failings, per watchTowr Labs, are listed under –

CVE-2025-53693 – HTML cache poisoning by way of unsafe reflections
CVE-2025-53691 – Distant code execution (RCE) by way of insecure deserialization
CVE-2025-53694 – Info Disclosure in ItemService API with a restricted nameless person, resulting in publicity of cache keys utilizing a brute-force method

Patches for the primary two shortcomings have been launched by Sitecore in June and for the third in July 2025, with the corporate stating that “profitable exploitation of the associated vulnerabilities may result in distant code execution and non-authorized entry to data.”

The findings construct on three extra flaws in the identical product that have been detailed by watchTowr again in June –

CVE-2025-34509 (CVSS rating: 8.2) – Use of hard-coded credentials
CVE-2025-34510 (CVSS rating: 8.8) – Put up-authenticated distant code execution by way of path traversal
CVE-2025-34511 (CVSS rating: 8.8) – Put up-authenticated distant code execution by way of Sitecore PowerShell Extension

watchTowr Labs researcher Piotr Bazydlo stated the newly uncovered bugs could possibly be long-established into an exploit chain by bringing collectively the pre-auth HTML cache poisoning vulnerability with a post-authenticated distant code execution challenge to compromise a fully-patched Sitecore Expertise Platform occasion.
The whole sequence of occasions main as much as code execution is as follows: A risk actor might leverage the ItemService API, if uncovered, to trivially enumerate HTML cache keys saved within the Sitecore cache and ship HTTP cache poisoning requests to these keys.
This might then be chained with CVE-2025-53691 to provide malicious HTML code that in the end ends in code execution by the use of an unrestricted BinaryFormatter name.
“We managed to abuse a really restricted reflection path to name a technique that lets us poison any HTML cache key,” Bazydlo stated. “That single primitive opened the door to hijacking Sitecore Expertise Platform pages – and from there, dropping arbitrary JavaScript to set off a Put up-Auth RCE vulnerability.”

The Hacker News Tags:, , , , , , , , , ,

Related Posts

New MongoDB Flaw Lets Unauthenticated Attackers Read Uninitialized Memory New MongoDB Flaw Lets Unauthenticated Attackers Read Uninitialized Memory The Hacker News
Are Forgotten AD Service Accounts Leaving You at Risk? Are Forgotten AD Service Accounts Leaving You at Risk? The Hacker News
Malicious Rust Crate Delivers OS-Specific Malware to Web3 Developer Systems Malicious Rust Crate Delivers OS-Specific Malware to Web3 Developer Systems The Hacker News
Threat Actors Weaponize HexStrike AI to Exploit Citrix Flaws Within a Week of Disclosure Threat Actors Weaponize HexStrike AI to Exploit Citrix Flaws Within a Week of Disclosure The Hacker News
Spyware Alerts, Mirai Strikes, Docker Leaks, ValleyRAT Rootkit — and 20 More Stories Spyware Alerts, Mirai Strikes, Docker Leaks, ValleyRAT Rootkit — and 20 More Stories The Hacker News
CISA Adds Gladinet and CWP Flaws to KEV Catalog Amid Active Exploitation Evidence CISA Adds Gladinet and CWP Flaws to KEV Catalog Amid Active Exploitation Evidence The Hacker News