“B”-grade security: three vulnerabilities in Sitecore CMS

Researchers have uncovered three vulnerabilities in the popular content management system, Sitecore Experience Platform.

• CVE-2025-34509 involves a hard-coded password (consisting of just a single letter) that allows an attacker to remotely log in as a service account.
• CVE-2025-34510 is a Zip Slip vulnerability enabling an authenticated user to upload and extract a ZIP archive to the website’s root directory.
• CVE-2025-34511 also allows users to upload external files to the site, but this time without any restrictions.

By combining the first vulnerability with either of the latter two, an attacker can achieve remote code execution (RCE) on a server running the Sitecore Experience Platform.

There’s currently no evidence of these vulnerabilities being exploited in the wild; however, the detailed analysis published by watchTowr contains enough information for threat actors to weaponize them at any moment.

CVE-2025-34509 — access through a preset account

The Sitecore CMS includes several default accounts, one of which is sitecoreServicesAPI. Naturally, passwords for all accounts are stored in a hashed (and even salted) form. However, this doesn’t make much difference if the password consists of just the single letter “b”. Such a password can be brute-forced in about three seconds.

Notably, Sitecore’s developers advise against modifying default accounts, warning that “editing a default user account can affect other areas of the security model” (whatever that means). Site admins following the official instructions are thus unlikely to change these passwords. As a result, such default accounts are likely present in most websites using this CMS.

That said, the sitecoreServicesAPI user has no assigned rights or roles, so simply authenticating through the standard Sitecore login interface isn’t possible. However, the researchers found a way to bypass the database check required for successful authentication (for details, see the original research). As a result, the attacker obtains a valid session cookie. They still don’t have administrator rights, but this cookie can be used for further attacks.

CVE-2025-34510 — vulnerability in Sitecore’s file uploader

Sitecore has a file upload mechanism which any authenticated user can use. So having a valid session cookie, an attacker can create an HTTP request to upload and automatically extract a ZIP archive. The essence of CVE-2025-34510 is that due to flawed input sanitization, an authenticated attacker can perform a path traversal. You can read more about this type of vulnerability — known as Zip Slip — in our post on ZIP file processing. In essence, the attacker can extract the archive to any location — for example, the website’s root folder. This way, the attacker can upload anything — such as their own web shell.

CVE-2025-34511 — vulnerability in the file uploader of the Sitecore PowerShell Extensions module

CVE-2025-34511 is an alternative way to compromise Sitecore. This vulnerability is present in the Sitecore PowerShell Extensions module, which is required for a number of Sitecore extensions to function — for example, the Sitecore Experience Accelerator, one of the most popular extensions for this CMS.

Essentially, this vulnerability works in much the same way as CVE-2025-34510, only slightly simpler. The Sitecore PowerShell extension also has its own file upload mechanism, which can be exploited by an authenticated user. Through HTTP requests, an attacker can upload any file with any extension to the CMS, and save it to any directory on the website. This means there’s no need to prepare a custom ZIP archive and path, and the result is basically the same: a web shell upload.

How to protect against attacks on the Sitecore Experience Platform

Patches for these three vulnerabilities were released back in May 2025. If your company uses Sitecore, especially in combination with Sitecore PowerShell Extensions, we recommend updating the CMS as soon as possible. According to NIST descriptions, CVE-2025-34509 affects Sitecore Experience Manager and Experience Platform versions 10.1 through 10.1.4 rev. 011974 PRE; all variants of 10.2; 10.3 through 10.3.3 rev. 011967 PRE; and 10.4 through 10.4.1 rev. 011941 PRE. CVE-2025-34510 is present in Experience Manager, Experience Platform, and Experience Commerce versions 9.0 through 9.3 and 10.0 through 10.4. Lastly, CVE-2025-34511 affects all versions of Sitecore PowerShell Extensions up to version 7.0.

The researchers who discovered these flaws claim to be aware of four other, much more interesting vulnerabilities. However, since patches aren’t ready yet, they’ve said they will disclose these vulnerabilities later. As such, we recommend keeping an eye on upcoming updates from the Sitecore developers.