CVE-2025-34510

Published: Jun 17, 2025Modified: Sep 8, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: disclosure@vulncheck.com (Secondary)

Description

Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.

Affected (5)

Products: Sitecore: Experience Commerce, Experience Manager, Experience Platform, Managed Cloud

4 products

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Sitecore Experience Commerce	From 9.0 to 10.4
Sitecore Experience Manager	From 9.0 to 10.4
Sitecore Experience Platform	From 9.0 to 10.4
Sitecore Experience Platform	Version 10.4
Sitecore Managed Cloud	All versions

Related CWEs

CWE-23

Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

References (2)

https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/

Source: disclosure@vulncheck.com

ExploitThird Party Advisory

https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667

Source: disclosure@vulncheck.com

Vendor Advisory

Timeline

No history available yet.