CVE-2025-34509

Published: Jun 17, 2025Modified: Dec 27, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.

Affected (5)

Products: Sitecore: Experience Commerce, Experience Manager, Experience Platform, Managed Cloud

4 products

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Sitecore Experience Commerce	From 9.0 to 10.4
Sitecore Experience Manager	From 9.0 to 10.4
Sitecore Experience Platform	From 9.0 to 10.4
Sitecore Experience Platform	Version 10.4
Sitecore Managed Cloud	All versions

Related CWEs

CWE-798

Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

References (2)

https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/

Source: disclosure@vulncheck.com

ExploitThird Party Advisory

https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667

Source: disclosure@vulncheck.com

Vendor Advisory

Timeline

No history available yet.