Cybersecurity researchers have disclosed three security flaws in the popular Sitecore Experience Platform (XP) that could be chained to achieve pre-authenticated remote code execution.
Sitecore Experience Platform is an enterprise-oriented software that provides users with tools for content management, digital marketing, and analytics and reports.
The list of vulnerabilities is as follows -
- CVE-2025-34509 (CVSS score: 8.2) - Use of hard-coded credentials
- CVE-2025-34510 (CVSS score: 8.8) - Post-authenticated remote code execution via path traversal
- CVE-2025-34511 (CVSS score: 8.8) - Post-authenticated remote code execution via Sitecore PowerShell Extension
watchTowr Labs researcher Piotr Bazydlo said the default user account "sitecore\ServicesAPI" has a single-character password that's hard-coded to "b." In its documentation, Sitecore advises customers against changing default user account credentials.
While the user has no roles and permissions assigned in Sitecore, the attack surface management firm found that the credentials could be alternately used against the "/sitecore/admin" API endpoint to sign in as "sitecore\ServicesAPI" and obtain a valid session cookie for the user.
"While we can't access 'Sitecore Applications' (where a significant portion of functionality is defined) as the ServicesAPI has no roles assigned, we can still: (1) Access a number of APIs, and (2) Pass through IIS authorization rules and directly access some endpoints," Bazydlo explained.
This, in turn, opens the door to remote code execution via a zip slip vulnerability that makes it possible to upload a specially crafted ZIP file via the "/sitecore/shell/Applications/Dialogs/Upload/Upload2.aspx" endpoint and causes the archive's contents (e.g., a web shell) to be written to the webroot directory.
The entire sequence of actions is listed below -
- Authenticate as the "sitecore\ServicesAPI" user
- Access Upload2.aspx
- Upload a ZIP file, which contains a web shell called /\/../<web_shell>
- When prompted, check the Unzip option and complete the upload
- Access the web shell
The third vulnerability has to do with an unrestricted file upload flaw in PowerShell Extensions that can also be exploited as the "sitecore\ServicesAPI" user to achieve remote code execution through the "/sitecore%20modules/Shell/PowerShell/UploadFile/PowerShellUploadFile2.aspx" endpoint.
watchTowr pointed out that the hard-coded password originates from within the Sitecore installer that imports a pre-configured user database with the ServicesAPI password set to "b." This change, the company said, went into effect starting version 10.1.
This also means that the exploit chain only works if users have installed Sitecore using installers for versions ≥ 10.1. Users are likely not impacted if they were previously running a version prior to 10.1 and then upgraded to a newer vulnerable version, assuming the old database is being migrated, and not the database embedded within the installation package.
With previously disclosed flaws in Sitecore XP coming under active exploitation in the wild (CVE-2019-9874 and CVE-2019-9875), it's essential that users apply the latest patches, if not already, to safeguard against potential cyber threats.
"By default, recent versions of Sitecore shipped with a user that had a hard-coded password of 'b.' It's 2025, and we can't believe we still have to say this, but that's very bad," Benjamin Harris, CEO and founder of watchTowr, told The Hacker News in a statement.
"Sitecore is deployed across thousands of environments, including banks, airlines, and global enterprises – so the blast radius here is massive. And no, this isn't theoretical: we've run the full chain, end-to-end. If you're running Sitecore, it doesn't get worse than this – rotate creds and patch immediately before attackers inevitably reverse engineer the fix."
Update
When reached for comment, a Sitecore spokesperson shared the following statement with The Hacker News: "We are aware of the recent report from watchTowr identifying several vulnerabilities in our software. We have actively collaborated with them to address the issue and have published a Knowledge Base article with details of patches and steps to remediate."
The company also pointed out it has remediated a previous finding from watchTowr in February 2025 (CVE-2025-27218, CVSS score: 5.3), which it said had been fixed in December 2024.
"Our customer support teams have proactively communicated these updates to our affected clients. All impacted SaaS products have been remediated, and we strongly advise in-scope on-premises customers to promptly apply the provided patches," the spokesperson said.
(The story was updated after publication to include a response from Sitecore.)
