Jun 17, 2025Ravie LakshmananVulnerability / Enterprise Software program
Cybersecurity researchers have disclosed three safety flaws within the well-liked Sitecore Expertise Platform (XP) that may very well be chained to attain pre-authenticated distant code execution.
Sitecore Expertise Platform is an enterprise-oriented software program that gives customers with instruments for content material administration, digital advertising and marketing, and analytics and stories.
The checklist of vulnerabilities, that are but to be assigned CVE identifiers, is as follows –
Use of hard-coded credentials
Put up-authenticated distant code execution by way of path traversal
Put up-authenticated distant code execution by way of Sitecore PowerShell Extension
watchTowr Labs researcher Piotr Bazydlo mentioned the default consumer account “sitecoreServicesAPI” has a single-character password that is hard-coded to “b.”
Whereas the consumer has no roles and permissions assigned in Sitecore, the assault floor administration agency discovered that the credentials may very well be alternately used towards the “/sitecore/admin” API endpoint to register as “sitecoreServicesAPI” and acquire a legitimate session cookie for the consumer.
“Whereas we will not entry ‘Sitecore Functions’ (the place a good portion of performance is outlined) because the ServicesAPI has no roles assigned, we are able to nonetheless: (1) Entry numerous APIs, and (2) Go by IIS authorization guidelines and immediately entry some endpoints,” Bazydlo defined.
This, in flip, opens the door to distant code execution by way of a zipper slip vulnerability that makes it doable to add a specifically crafted ZIP file by way of the “/sitecore/shell/Functions/Dialogs/Add/Upload2.aspx” endpoint and causes the archive’s contents (e.g., an internet shell) to be written to the webroot listing.
Your complete sequence of actions is listed beneath –
Authenticate because the “sitecoreServicesAPI” consumer
Entry Upload2.aspx
Add a ZIP file, which incorporates an internet shell known as //../<web_shell>
When prompted, test the Unzip choice and full the add
Entry the net shell
The third vulnerability has to do with an unrestricted file add flaw in PowerShell Extensions that will also be exploited because the “sitecoreServicesAPI” consumer to attain distant code execution by the “/sitecorepercent20modules/Shell/PowerShell/UploadFile/PowerShellUploadFile2.aspx” endpoint.
watchTowr identified that the hard-coded password originates from throughout the Sitecore installer that imports a pre-configured consumer database with the ServicesAPI password set to “b.” This modification, the corporate mentioned, went into impact beginning model 10.1.
This additionally signifies that the exploit chain solely works if customers have put in Sitecore utilizing installers for variations ≥ 10.1. Customers are probably not impacted in the event that they had been beforehand working a model previous to 10.1 after which upgraded to a more recent susceptible model, assuming the previous database is being migrated, and never the database embedded throughout the set up bundle.
With beforehand disclosed flaws in Sitecore XP coming underneath lively exploitation within the wild (CVE-2019-9874 and CVE-2019-9875), it is important that customers apply the newest patches, if not already, to safeguard towards potential cyber threats.
“By default, latest variations of Sitecore shipped with a consumer that had a hard-coded password of ‘b.’ It is 2025, and we will not imagine we nonetheless should say this, however that is very dangerous,” Benjamin Harris, CEO and founding father of watchTowr, advised The Hacker Information in a press release.
“Sitecore is deployed throughout hundreds of environments, together with banks, airways, and world enterprises – so the blast radius right here is huge. And no, this is not theoretical: we have run the total chain, end-to-end. Should you’re working Sitecore, it does not worsen than this – rotate creds and patch instantly earlier than attackers inevitably reverse engineer the repair.”
Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.
