CVE-2025-34509 - Vulnerability Details - OpenCVE

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact total

No data.

No data.

No data.

References

Link	Providers
https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/

History

Tue, 17 Jun 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 17 Jun 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}`	cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}`

Tue, 17 Jun 2025 18:45:00 +0000

Type	Values Removed	Values Added
Description		Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
Title		Sitecore XM and XP Hardcoded Credentials
Weaknesses		CWE-798
References		https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-06-17T18:20:57.441Z

Updated: 2025-06-18T03:56:09.729Z

Reserved: 2025-04-15T19:15:22.612Z

Link: CVE-2025-34509

Vulnrichment

Updated: 2025-06-17T19:04:47.633Z

NVD

Status : Awaiting Analysis

Published: 2025-06-17T19:15:31.423

Modified: 2025-06-17T20:50:23.507

Link: CVE-2025-34509

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-34509", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2025-04-15T19:15:22.612Z", "datePublished": "2025-06-17T18:20:57.441Z", "dateUpdated": "2025-06-18T03:56:09.729Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Experience Manager", "vendor": "Sitecore", "versions": [{"lessThan": "10.4.1 rev. 011941 PRE", "status": "affected", "version": "10.4", "versionType": "custom"}, {"lessThan": "10.3.3 rev. 011967 PRE", "status": "affected", "version": "10.3", "versionType": "custom"}, {"lessThan": "10.1.4 rev. 011974 PRE", "status": "affected", "version": "10.1", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Experience Platform", "vendor": "Sitecore", "versions": [{"lessThan": "10.4.1 rev. 011941 PRE", "status": "affected", "version": "10.4", "versionType": "custom"}, {"lessThan": "10.3.3 rev. 011967 PRE", "status": "affected", "version": "10.3", "versionType": "custom"}, {"lessThan": "10.1.4 rev. 011974 PRE", "status": "affected", "version": "10.1", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Piotr Bazydlo of watchTowr"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP."}], "value": "Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-06-17T19:06:33.697Z"}, "references": [{"tags": ["third-party-advisory", "exploit", "technical-description"], "url": "https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to patched versions."}], "value": "Update to patched versions."}], "source": {"discovery": "EXTERNAL"}, "title": "Sitecore XM and XP Hardcoded Credentials", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-17T00:00:00+00:00", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-34509"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-18T03:56:09.729Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-34509", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-17T19:43:38.883666Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T19:04:47.633Z"}}], "cna": {"title": "Sitecore XM and XP Hardcoded Credentials", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Piotr Bazydlo of watchTowr"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Sitecore", "product": "Experience Manager", "versions": [{"status": "affected", "version": "10.4", "lessThan": "10.4.1 rev. 011941 PRE", "versionType": "custom"}, {"status": "affected", "version": "10.3", "lessThan": "10.3.3 rev. 011967 PRE", "versionType": "custom"}, {"status": "affected", "version": "10.1", "lessThan": "10.1.4 rev. 011974 PRE", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Sitecore", "product": "Experience Platform", "versions": [{"status": "affected", "version": "10.4", "lessThan": "10.4.1 rev. 011941 PRE", "versionType": "custom"}, {"status": "affected", "version": "10.3", "lessThan": "10.3.3 rev. 011967 PRE", "versionType": "custom"}, {"status": "affected", "version": "10.1", "lessThan": "10.1.4 rev. 011974 PRE", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update to patched versions.", "supportingMedia": [{"type": "text/html", "value": "Update to patched versions.", "base64": false}]}], "references": [{"url": "https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/", "tags": ["third-party-advisory", "exploit", "technical-description"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.", "supportingMedia": [{"type": "text/html", "value": "Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-06-17T19:06:33.697Z"}}}, "cveMetadata": {"cveId": "CVE-2025-34509", "state": "PUBLISHED", "dateUpdated": "2025-06-18T03:56:09.729Z", "dateReserved": "2025-04-15T19:15:22.612Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2025-06-17T18:20:57.441Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.1"}