Path Traversal Vulnerability in Sitecore Experience Manager and Experience Platform
CVE-2025-34510

8.8HIGH

Key Information:

Vendor: Sitecore
Status: Experience Manager; Experience Platform; Experience Commerce
Vendor: CVE Published:; 17 June 2025

Badges

👾 Exploit Exists🟣 EPSS 80%📰 News Worthy

What is CVE-2025-34510?

Sitecore Experience Manager and Experience Platform versions 9.0 to 9.3 and 10.0 to 10.4 are susceptible to a Zip Slip vulnerability. This vulnerability allows a remote, authenticated attacker to upload a specially crafted ZIP archive that includes a path traversal sequence. By exploiting this flaw, attackers can write arbitrary files to the server, potentially leading to unauthorized code execution. Organizations using affected Sitecore versions should take immediate action to mitigate this risk.

Affected Version(s)

Experience Commerce 9.0 <= 9.3

Experience Commerce 10.0 <= 10.4

Experience Manager 9.0 <= 9.3

News Articles

watchTowr Labs

CVE-2025-34509 CVE-2025-34510

Is b For Backdoor? Pre-Auth RCE Chain In Sitecore Experience Platform

Welcome to June! We’re back—this time, we're exploring Sitecore’s Experience Platform (XP), demonstrating a pre-auth RCE chain that we reported to Sitecore in February 2025. We’ve spent a bit of time recently looking at CMS’s given the basic fact that they represent attractive targets for