Deserialization Vulnerability in Sitecore Experience Manager and Experience Platform
CVE-2025-53690

9CRITICAL

Key Information:

Vendor: Sitecore
Status: Experience Manager (xm); Experience Platform (xp)
Vendor: CVE Published:; 3 September 2025

What is CVE-2025-53690?

A deserialization vulnerability in Sitecore Experience Manager (XM) and Sitecore Experience Platform (XP) could allow attackers to exploit untrusted data, potentially leading to unauthorized code execution. Applications using affected versions are at risk, making it essential for users to ensure they are on updated releases and to implement appropriate security measures.

Affected Version(s)

Experience Manager (XM) 0 <= 9.0

Experience Platform (XP) 0 <= 9.0

References

https://cloud.google.com/blog/topics/threat-intelligence/...

https://support.sitecore.com/kb?id=kb_article_view&syspar...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 3, 2025
Vulnerability Reserved
Jul 8, 2025

Credit

Mandiant Threat Defense