Remote Code Execution Vulnerability in Sitecore Experience Platform and Managed Cloud
CVE-2025-34138

9.3CRITICAL

Key Information:

Vendor

Sitecore

Status
Experience Manager (xm)
Experience Platform (xp)
Experience Commerce (xc)
Managed Cloud
Vendor
CVE Published:
25 July 2025

What is CVE-2025-34138?

A vulnerability in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud allows attackers to execute remote code or gain unauthorized access to sensitive information. This issue impacts all versions from the 9.2 Initial Release up to and including the 10.4 Initial Release across various topologies and deployment models, including PaaS and container-based solutions. Organizations utilizing these products should review the provided vendor advisories for mitigation measures.

Affected Version(s)

Experience Commerce (XC) 9.2 Initial Release <= 10.4 Initial Release

Experience Manager (XM) 9.2 Initial Release <= 10.4 Initial Release

Experience Platform (XP) 9.2 Initial Release <= 10.4 Initial Release

References

https://support.sitecore.com/kb?id=kb_article_view&syspar...
vendor-advisorypatch
https://support.sitecore.com/kb?id=kb_article_view&syspar...
vendor-advisorypatch
https://www.vulncheck.com/advisories/sitecore-xm-xp-xc-ma...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sitecore
.
CVE-2025-34138 : Remote Code Execution Vulnerability in Sitecore Experience Platform and Managed Cloud