Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
History

Tue, 17 Jun 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 17 Jun 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}


Tue, 17 Jun 2025 18:45:00 +0000

Type Values Removed Values Added
Description Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
Title Sitecore XM and XP Hardcoded Credentials
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-06-17T18:20:57.441Z

Updated: 2025-06-18T03:56:09.729Z

Reserved: 2025-04-15T19:15:22.612Z

Link: CVE-2025-34509

cve-icon Vulnrichment

Updated: 2025-06-17T19:04:47.633Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-06-17T19:15:31.423

Modified: 2025-06-17T20:50:23.507

Link: CVE-2025-34509

cve-icon Redhat

No data.