7.5

CVE-2025-34509

Exploit

EPSS 23.18%
Veröffentlicht 17.06.2025 18:20:57
Zuletzt bearbeitet 27.12.2025 17:15:47
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sitecore ≫ Experience Commerce Version >= 9.0 <= 10.4

Sitecore ≫ Experience Manager Version >= 9.0 <= 10.4

Sitecore ≫ Experience Platform Version >= 9.0 < 10.4

Sitecore ≫ Experience Platform Version10.4 Update-

Sitecore ≫ Managed Cloud Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	23.18%	0.958

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
disclosure@vulncheck.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/

Third Party Advisory

Exploit

https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-34509

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-34509

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-34509

EUVD