Hardcoded User Account Vulnerability in Sitecore Experience Manager and Platform
CVE-2025-34509

8.2HIGH

Key Information:

Vendor: Sitecore
Status: Experience Manager; Experience Platform
Vendor: CVE Published:; 17 June 2025

Badges

👾 Exploit Exists

What is CVE-2025-34509?

The Sitecore Experience Manager and Experience Platform contain a vulnerability that allows unauthenticated remote attackers to exploit a hardcoded user account. This flaw enables unauthorized access to the administrative API over HTTP, posing a significant security risk. Affected versions include Sitecore XM versions 10.1 to 10.1.4 rev. 011974 PRE, Sitecore XP version 10.2, as well as versions from 10.3 to 10.3.3 rev. 011967 PRE and 10.4 to 10.4.1 rev. 011941 PRE. Organizations utilizing these versions should prioritize remediation to safeguard against potential exploitation.

Affected Version(s)

Experience Manager 10.4 < 10.4.1 rev. 011941 PRE

Experience Manager 10.3 < 10.3.3 rev. 011967 PRE

Experience Manager 10.1 < 10.1.4 rev. 011974 PRE

References

https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce...

third-party-advisoryexploittechnical-description

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 17, 2025
👾
Exploit known to exist
Jun 17, 2025
Vulnerability published
Jun 17, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Piotr Bazydlo of watchTowr