Path Traversal Vulnerability in Sitecore Experience Manager and Experience Platform
CVE-2025-34510

8.8HIGH

Key Information:

Vendor: Sitecore
Status: Experience Manager; Experience Platform; Experience Commerce
Vendor: CVE Published:; 17 June 2025

Badges

👾 Exploit Exists

What is CVE-2025-34510?

Sitecore Experience Manager and Experience Platform versions 9.0 to 9.3 and 10.0 to 10.4 are susceptible to a Zip Slip vulnerability. This vulnerability allows a remote, authenticated attacker to upload a specially crafted ZIP archive that includes a path traversal sequence. By exploiting this flaw, attackers can write arbitrary files to the server, potentially leading to unauthorized code execution. Organizations using affected Sitecore versions should take immediate action to mitigate this risk.

Affected Version(s)

Experience Commerce 9.0 <= 9.3

Experience Commerce 10.0 <= 10.4

Experience Manager 9.0 <= 9.3

References

https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce...

third-party-advisoryexploittechnical-description

https://support.sitecore.com/kb?id=kb_article_view&syspar...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 17, 2025
👾
Exploit known to exist
Jun 17, 2025
Vulnerability published
Jun 17, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Piotr Bazydlo of watchTowr