A series of Sitecore Expertise Platform (XP) vulnerabilities permits attackers to carry out distant code execution (RCE) with out authentication to breach and hijack servers.
Sitecore is a well-liked enterprise CMS utilized by companies to create and handle content material throughout web sites and digital media.
Found by watchTowr researchers, the pre-auth RCE chain disclosed as we speak consists of three distinct vulnerabilities. It hinges on the presence of an inner person (sitecoreServicesAPI) with a hardcoded password set to “b”, making it trivial to hijack.
This built-in person is not an admin and has no assigned roles. Nonetheless, the researchers may nonetheless use it to authenticate through an alternate login path (/sitecore/admin) as a consequence of Sitecore’s backend-only login checks being bypassed in non-core database contexts.
The result’s a legitimate “.AspNet.Cookies” session, granting the attacker authenticated entry to inner endpoints protected by IIS-level authorization however not Sitecore position checks.
With this preliminary foothold secured, attackers can exploit the second vulnerability, a Zip Slip flaw in Sitecore’s Add Wizard.
As watchTowr explains, a ZIP file uploaded through the wizard can comprise a malicious file path like //../webshell.aspx. Because of inadequate path sanitization and the way in which Sitecore maps paths, this ends in writing arbitrary recordsdata into the webroot, even with out information of the total system path.
This allows the attacker to add a webshell and execute distant code.
A 3rd vulnerability turns into exploitable when the Sitecore PowerShell Extensions (SPE) module is put in (generally bundled with SXA).
This flaw permits an attacker to add arbitrary recordsdata to attacker-specified paths, bypassing extension or location restrictions completely and offering a less complicated path to dependable RCE.
Impression and threat
The three vulnerabilities reported by watchTowr have an effect on Sitecore XP variations 10.1 by means of 10.4.
WatchTowr’s scans present over 22,000 publicly uncovered Sitecore situations, highlighting a major assault floor, although not all are essentially weak.
Patches addressing the problems had been made obtainable in Could 2025, however the CVE IDs and technical particulars had been embargoed till June 17, 2025, to provide prospects time to replace.
“Sitecore is deployed throughout hundreds of environments, together with banks, airways, and world enterprises — so the blast radius right here is very large,” commented watchTowr CEO Benjamin Harris to BleepingComputer.
“And no, this is not theoretical: we have run the total chain, end-to-end. In the event you’re working Sitecore, it does not worsen than this – rotate creds and patch instantly earlier than attackers inevitably reverse engineer the repair.”
As of writing, there is no such thing as a public proof of exploitation within the wild.
Nonetheless, watchTowr’s technical weblog accommodates sufficient element to construct a completely working exploit, so the chance of real-world abuse is imminent.
Patching used to imply advanced scripts, lengthy hours, and countless fireplace drills. Not anymore.
On this new information, Tines breaks down how trendy IT orgs are leveling up with automation. Patch sooner, scale back overhead, and give attention to strategic work — no advanced scripts required.
