Path Traversal Vulnerability in Sitecore Experience Manager and Experience Platform
CVE-2025-34510
Key Information:
- Vendor
Sitecore
- Vendor
- CVE Published:
- 17 June 2025
Badges
What is CVE-2025-34510?
Sitecore Experience Manager and Experience Platform versions 9.0 to 9.3 and 10.0 to 10.4 are susceptible to a Zip Slip vulnerability. This vulnerability allows a remote, authenticated attacker to upload a specially crafted ZIP archive that includes a path traversal sequence. By exploiting this flaw, attackers can write arbitrary files to the server, potentially leading to unauthorized code execution. Organizations using affected Sitecore versions should take immediate action to mitigate this risk.
Affected Version(s)
Experience Commerce 9.0 <= 9.3
Experience Commerce 10.0 <= 10.4
Experience Manager 9.0 <= 9.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
watchTowr LabsReferences
CVSS V3.1
Timeline
- đź“°
First article discovered by watchTowr Labs
- 🟡
Public PoC available
- đź‘ľ
Exploit known to exist
Vulnerability published
Vulnerability Reserved