7.5

CVE-2025-34509

Exploit

EPSS 38.43%
Veröffentlicht 17.06.2025 18:20:57
Zuletzt bearbeitet 27.12.2025 17:15:47
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

Sitecore XM and XP Hardcoded Credentials

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 5 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sitecore ≫ Experience Commerce Version >= 9.0 <= 10.4

Sitecore ≫ Experience Manager Version >= 9.0 <= 10.4

Sitecore ≫ Experience Platform Version >= 9.0 < 10.4

Sitecore ≫ Experience Platform Version10.4 Update-

Sitecore ≫ Managed Cloud Version-

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	38.43%	0.984

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
disclosure@vulncheck.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/

Third Party Advisory

Exploit

https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-34509

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-34509

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-34509

EUVD