info@thehackernews.com (The Hacker News)
2025-06-17 06:33:00
thehackernews.com
Cybersecurity researchers have disclosed three security flaws in the popular Sitecore Experience Platform (XP) that could be chained to achieve pre-authenticated remote code execution.
Sitecore Experience Platform is an enterprise-oriented software that provides users with tools for content management, digital marketing, and analytics and reports.
The list of vulnerabilities, which are yet to be assigned CVE identifiers, is as follows –
- Use of hard-coded credentials
- Post-authenticated remote code execution via path traversal
- Post-authenticated remote code execution via Sitecore PowerShell Extension
watchTowr Labs researcher Piotr Bazydlo said the default user account “sitecore\ServicesAPI” has a single-character password that’s hard-coded to “b.”
While the user has no roles and permissions assigned in Sitecore, the attack surface management firm found that the credentials could be alternately used against the “/sitecore/admin” API endpoint to sign in as “sitecore\ServicesAPI” and obtain a valid session cookie for the user.
“While we can’t access ‘Sitecore Applications’ (where a significant portion of functionality is defined) as the ServicesAPI has no roles assigned, we can still: (1) Access a number of APIs, and (2) Pass through IIS authorization rules and directly access some endpoints,” Bazydlo explained.
This, in turn, opens the door to remote code execution via a zip slip vulnerability that makes it possible to upload a specially crafted ZIP file via the “/sitecore/shell/Applications/Dialogs/Upload/Upload2.aspx” endpoint and causes the archive’s contents (e.g., a web shell) to be written to the webroot directory.
The entire sequence of actions is listed below –
- Authenticate as the “sitecore\ServicesAPI” user
- Access Upload2.aspx
- Upload a ZIP file, which contains a web shell called /\/../
- When prompted, check the Unzip option and complete the upload
- Access the web shell
The third vulnerability has to do with an unrestricted file upload flaw in PowerShell Extensions that can also be exploited as the “sitecore\ServicesAPI” user to achieve remote code execution through the “/sitecore%20modules/Shell/PowerShell/UploadFile/PowerShellUploadFile2.aspx” endpoint.
watchTowr pointed out that the hard-coded password originates from within the Sitecore installer that imports a pre-configured user database with the ServicesAPI password set to “b.” This change, the company said, went into effect starting version 10.1.
This also means that the exploit chain only works if users have installed Sitecore using installers for versions ≥ 10.1. Users are likely not impacted if they were previously running a version prior to 10.1 and then upgraded to a newer vulnerable version, assuming the old database is being migrated, and not the database embedded within the installation package.
With previously disclosed flaws in Sitecore XP coming under active exploitation in the wild (CVE-2019-9874 and CVE-2019-9875), it’s essential that users apply the latest patches, if not already, to safeguard against potential cyber threats.
“By default, recent versions of Sitecore shipped with a user that had a hard-coded password of ‘b.’ It’s 2025, and we can’t believe we still have to say this, but that’s very bad,” Benjamin Harris, CEO and founder of watchTowr, told The Hacker News in a statement.
“Sitecore is deployed across thousands of environments, including banks, airlines, and global enterprises – so the blast radius here is massive. And no, this isn’t theoretical: we’ve run the full chain, end-to-end. If you’re running Sitecore, it doesn’t get worse than this – rotate creds and patch immediately before attackers inevitably reverse engineer the fix.”
Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.
Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.
Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!
Help Power Techcratic’s Future – Scan To Support
If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.
As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!
BITCOIN
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge Scan the QR code with your crypto wallet app |
DOGECOIN
D64GwvvYQxFXYyan3oQCrmWfidf6T3JpBA Scan the QR code with your crypto wallet app |
ETHEREUM
0xe9BC980DF3d985730dA827996B43E4A62CCBAA7a Scan the QR code with your crypto wallet app |
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.
