9

CVE-2025-53690

Warnung
Medienbericht
Exploit
Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SitecoreExperience Commerce Version <= 9.0
SitecoreExperience Manager Version <= 9.0
SitecoreExperience Platform Version <= 9.0
SitecoreManaged Cloud Version-

04.09.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability

Schwachstelle

Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 10.07% 0.93
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
9947ef80-c5d5-474a-bbab-97341a59000e 9 2.2 6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.