Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for Experience Manager (XM) by Sitecore

    CVE-2025-53690 (GCVE-0-2025-53690)

    Vulnerability from nvd – Published: 2025-09-03 20:04 – Updated: 2026-02-26 17:49
    VLAI CISA KEVIntel
    Title
    Sitecore Products ViewState Deserialization Vulnerability
    Summary
    Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.
    SSVC
    Exploitation: active Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Wiz
    Impacted products
    Date Public
    2025-09-03 18:00
    Credits
    Mandiant Threat Defense
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53690",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-05T03:55:32.553435Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2025-09-04",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53690"
                  },
                  "type": "kev"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T17:49:44.363Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53690"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2025-09-04T00:00:00.000Z",
                "value": "CVE-2025-53690 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Experience Manager (XM)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Experience Platform (XP)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eCustomers who followed the deployment instructions provided with XP 9.0 or earlier and Active Directory 1.4 or earlier and used the sample machine key (for example, machine key: BDDFE367CD..., validation key: 0DAC68D020...) are vulnerable.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "Customers who followed the deployment instructions provided with XP 9.0 or earlier and Active Directory 1.4 or earlier and used the sample machine key (for example, machine key: BDDFE367CD..., validation key: 0DAC68D020...) are vulnerable."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mandiant Threat Defense"
            }
          ],
          "datePublic": "2025-09-03T18:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.\u003cp\u003eThis issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.\u003c/p\u003e"
                }
              ],
              "value": "Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-03T20:04:48.223Z",
            "orgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
            "shortName": "Wiz"
          },
          "references": [
            {
              "url": "https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability"
            },
            {
              "url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003865"
            }
          ],
          "source": {
            "discovery": "USER"
          },
          "title": "Sitecore Products ViewState Deserialization Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
        "assignerShortName": "Wiz",
        "cveId": "CVE-2025-53690",
        "datePublished": "2025-09-03T20:04:48.223Z",
        "dateReserved": "2025-07-08T14:21:02.028Z",
        "dateUpdated": "2026-02-26T17:49:44.363Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-53691 (GCVE-0-2025-53691)

    Vulnerability from nvd – Published: 2025-09-03 12:36 – Updated: 2025-09-03 13:49
    VLAI
    Title
    Sitecore Experience Remote Code Execution through Insecure Deserialization
    Summary
    Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).This issue affects Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Wiz
    Impacted products
    Vendor Product Version
    Sitecore Experience Manager (XM) Affected: 9.0 , ≤ 9.3 (semver)
    Affected: 10.0 , ≤ 10.4 (semver)
    Create a notification for this product.
    Sitecore Experience Platform (XP) Affected: 9.0 , ≤ 9.3 (semver)
    Affected: 10.0 , ≤ 10.4 (semver)
    Create a notification for this product.
    Date Public
    2025-09-03 11:00
    Credits
    Piotr Bazydlo of watchTowr
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53691",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-03T13:49:10.233307Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-03T13:49:39.605Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Experience Manager (XM)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "9.3",
                  "status": "affected",
                  "version": "9.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.4",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Experience Platform (XP)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "9.3",
                  "status": "affected",
                  "version": "9.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.4",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Piotr Bazydlo of watchTowr"
            }
          ],
          "datePublic": "2025-09-03T11:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).\u003cp\u003eThis issue affects Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.\u003c/p\u003e"
                }
              ],
              "value": "Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).This issue affects Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-03T12:36:59.561Z",
            "orgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
            "shortName": "Wiz"
          },
          "references": [
            {
              "url": "https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/"
            },
            {
              "url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003667"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Sitecore Experience Remote Code Execution through Insecure Deserialization",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
        "assignerShortName": "Wiz",
        "cveId": "CVE-2025-53691",
        "datePublished": "2025-09-03T12:36:59.561Z",
        "dateReserved": "2025-07-08T14:21:02.029Z",
        "dateUpdated": "2025-09-03T13:49:39.605Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-34139 (GCVE-0-2025-34139)

    Vulnerability from nvd – Published: 2025-07-25 15:54 – Updated: 2025-11-19 01:28
    VLAI
    Title
    Sitecore XM/XP/XC and Managed Cloud 8.0 - 10.4 Arbitrary File Read
    Summary
    A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    • CWE-552 - Files or Directories Accessible to External Parties
    Assigner
    Impacted products
    Vendor Product Version
    Sitecore Experience Manager (XM) Affected: 8.0 Initial Release , ≤ 10.4 Initial Release and later (custom)
    Create a notification for this product.
    Sitecore Experience Platform (XP) Affected: 8.0 Initial Release , ≤ 10.4 Initial Release and later (custom)
    Create a notification for this product.
    Sitecore Experience Commerce (XC) Affected: 8.0 Initial Release , ≤ 10.4 Initial Release and later (custom)
    Create a notification for this product.
    Sitecore Managed Cloud Affected: 8.0 Initial Release , ≤ 10.4 Initial Release and later (custom)
    Create a notification for this product.
    Credits
    Sitecore
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-34139",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-25T18:20:58.705145Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-552",
                    "description": "CWE-552 Files or Directories Accessible to External Parties",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-25T18:21:11.575Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Experience Manager (XM)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "10.4 Initial Release and later",
                  "status": "affected",
                  "version": "8.0 Initial Release",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Experience Platform (XP)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "10.4 Initial Release and later",
                  "status": "affected",
                  "version": "8.0 Initial Release",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Experience Commerce (XC)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "10.4 Initial Release and later",
                  "status": "affected",
                  "version": "8.0 Initial Release",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Managed Cloud",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "10.4 Initial Release and later",
                  "status": "affected",
                  "version": "8.0 Initial Release",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:sitecore:managed_cloud:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "10.4",
                      "versionStartIncluding": "8.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sitecore"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A vulnerability exists in Sitecore\u0026nbsp;\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eExperience Manager (XM),\u0026nbsp;\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eExperience Platform (XP),\u0026nbsp;\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eExperience Commerce (XC), and\u0026nbsp;\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eManaged Cloud that could allow an unauthenticated attacker to read arbitrary files\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003e.\u0026nbsp;\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003e\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eThis vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected.\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "A vulnerability exists in Sitecore\u00a0Experience Manager (XM),\u00a0Experience Platform (XP),\u00a0Experience Commerce (XC), and\u00a0Managed Cloud that could allow an unauthenticated attacker to read arbitrary files.\u00a0This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522 Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-19T01:28:37.079Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003650"
            },
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003661"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/sitecore-xm-xp-xc-managed-cloud-arbitrary-file-read"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Sitecore XM/XP/XC and Managed Cloud 8.0 - 10.4 Arbitrary File Read",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2025-34139",
        "datePublished": "2025-07-25T15:54:25.297Z",
        "dateReserved": "2025-04-15T19:15:22.563Z",
        "dateUpdated": "2025-11-19T01:28:37.079Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-53690 (GCVE-0-2025-53690)

    Vulnerability from cvelistv5 – Published: 2025-09-03 20:04 – Updated: 2026-02-26 17:49
    VLAI CISA KEVIntel
    Title
    Sitecore Products ViewState Deserialization Vulnerability
    Summary
    Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.
    SSVC
    Exploitation: active Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Wiz
    Impacted products
    Date Public
    2025-09-03 18:00
    Credits
    Mandiant Threat Defense
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53690",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-05T03:55:32.553435Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2025-09-04",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53690"
                  },
                  "type": "kev"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T17:49:44.363Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53690"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2025-09-04T00:00:00.000Z",
                "value": "CVE-2025-53690 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Experience Manager (XM)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Experience Platform (XP)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eCustomers who followed the deployment instructions provided with XP 9.0 or earlier and Active Directory 1.4 or earlier and used the sample machine key (for example, machine key: BDDFE367CD..., validation key: 0DAC68D020...) are vulnerable.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "Customers who followed the deployment instructions provided with XP 9.0 or earlier and Active Directory 1.4 or earlier and used the sample machine key (for example, machine key: BDDFE367CD..., validation key: 0DAC68D020...) are vulnerable."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mandiant Threat Defense"
            }
          ],
          "datePublic": "2025-09-03T18:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.\u003cp\u003eThis issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.\u003c/p\u003e"
                }
              ],
              "value": "Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-03T20:04:48.223Z",
            "orgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
            "shortName": "Wiz"
          },
          "references": [
            {
              "url": "https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability"
            },
            {
              "url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003865"
            }
          ],
          "source": {
            "discovery": "USER"
          },
          "title": "Sitecore Products ViewState Deserialization Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
        "assignerShortName": "Wiz",
        "cveId": "CVE-2025-53690",
        "datePublished": "2025-09-03T20:04:48.223Z",
        "dateReserved": "2025-07-08T14:21:02.028Z",
        "dateUpdated": "2026-02-26T17:49:44.363Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-53691 (GCVE-0-2025-53691)

    Vulnerability from cvelistv5 – Published: 2025-09-03 12:36 – Updated: 2025-09-03 13:49
    VLAI
    Title
    Sitecore Experience Remote Code Execution through Insecure Deserialization
    Summary
    Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).This issue affects Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Wiz
    Impacted products
    Vendor Product Version
    Sitecore Experience Manager (XM) Affected: 9.0 , ≤ 9.3 (semver)
    Affected: 10.0 , ≤ 10.4 (semver)
    Create a notification for this product.
    Sitecore Experience Platform (XP) Affected: 9.0 , ≤ 9.3 (semver)
    Affected: 10.0 , ≤ 10.4 (semver)
    Create a notification for this product.
    Date Public
    2025-09-03 11:00
    Credits
    Piotr Bazydlo of watchTowr
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53691",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-03T13:49:10.233307Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-03T13:49:39.605Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Experience Manager (XM)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "9.3",
                  "status": "affected",
                  "version": "9.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.4",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Experience Platform (XP)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "9.3",
                  "status": "affected",
                  "version": "9.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.4",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Piotr Bazydlo of watchTowr"
            }
          ],
          "datePublic": "2025-09-03T11:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).\u003cp\u003eThis issue affects Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.\u003c/p\u003e"
                }
              ],
              "value": "Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).This issue affects Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-03T12:36:59.561Z",
            "orgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
            "shortName": "Wiz"
          },
          "references": [
            {
              "url": "https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/"
            },
            {
              "url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003667"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Sitecore Experience Remote Code Execution through Insecure Deserialization",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
        "assignerShortName": "Wiz",
        "cveId": "CVE-2025-53691",
        "datePublished": "2025-09-03T12:36:59.561Z",
        "dateReserved": "2025-07-08T14:21:02.029Z",
        "dateUpdated": "2025-09-03T13:49:39.605Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-34139 (GCVE-0-2025-34139)

    Vulnerability from cvelistv5 – Published: 2025-07-25 15:54 – Updated: 2025-11-19 01:28
    VLAI
    Title
    Sitecore XM/XP/XC and Managed Cloud 8.0 - 10.4 Arbitrary File Read
    Summary
    A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    • CWE-552 - Files or Directories Accessible to External Parties
    Assigner
    Impacted products
    Vendor Product Version
    Sitecore Experience Manager (XM) Affected: 8.0 Initial Release , ≤ 10.4 Initial Release and later (custom)
    Create a notification for this product.
    Sitecore Experience Platform (XP) Affected: 8.0 Initial Release , ≤ 10.4 Initial Release and later (custom)
    Create a notification for this product.
    Sitecore Experience Commerce (XC) Affected: 8.0 Initial Release , ≤ 10.4 Initial Release and later (custom)
    Create a notification for this product.
    Sitecore Managed Cloud Affected: 8.0 Initial Release , ≤ 10.4 Initial Release and later (custom)
    Create a notification for this product.
    Credits
    Sitecore
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-34139",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-25T18:20:58.705145Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-552",
                    "description": "CWE-552 Files or Directories Accessible to External Parties",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-25T18:21:11.575Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Experience Manager (XM)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "10.4 Initial Release and later",
                  "status": "affected",
                  "version": "8.0 Initial Release",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Experience Platform (XP)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "10.4 Initial Release and later",
                  "status": "affected",
                  "version": "8.0 Initial Release",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Experience Commerce (XC)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "10.4 Initial Release and later",
                  "status": "affected",
                  "version": "8.0 Initial Release",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Managed Cloud",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "10.4 Initial Release and later",
                  "status": "affected",
                  "version": "8.0 Initial Release",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:sitecore:managed_cloud:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "10.4",
                      "versionStartIncluding": "8.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sitecore"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A vulnerability exists in Sitecore\u0026nbsp;\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eExperience Manager (XM),\u0026nbsp;\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eExperience Platform (XP),\u0026nbsp;\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eExperience Commerce (XC), and\u0026nbsp;\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eManaged Cloud that could allow an unauthenticated attacker to read arbitrary files\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003e.\u0026nbsp;\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003e\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eThis vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected.\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "A vulnerability exists in Sitecore\u00a0Experience Manager (XM),\u00a0Experience Platform (XP),\u00a0Experience Commerce (XC), and\u00a0Managed Cloud that could allow an unauthenticated attacker to read arbitrary files.\u00a0This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522 Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-19T01:28:37.079Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003650"
            },
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003661"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/sitecore-xm-xp-xc-managed-cloud-arbitrary-file-read"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Sitecore XM/XP/XC and Managed Cloud 8.0 - 10.4 Arbitrary File Read",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2025-34139",
        "datePublished": "2025-07-25T15:54:25.297Z",
        "dateReserved": "2025-04-15T19:15:22.563Z",
        "dateUpdated": "2025-11-19T01:28:37.079Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }