Researchers Warn of Sitecore Exploit Chain Linking Cache Poisoning and Remote Code Execution

Aug 29, 2025Ravie LakshmananVulnerability / Web Security

Three new security vulnerabilities have been disclosed in the Sitecore Experience Platform that could be exploited to achieve information disclosure and remote code execution.

The flaws, per watchTowr Labs, are listed below –

• CVE-2025-53693 – HTML cache poisoning through unsafe reflections
• CVE-2025-53691 – Remote code execution (RCE) through insecure deserialization
• CVE-2025-53694 – Information Disclosure in ItemService API with a restricted anonymous user, leading to exposure of cache keys using a brute-force approach

Patches for the first two shortcomings were released by Sitecore in June and for the third in July 2025, with the company stating that “successful exploitation of the related vulnerabilities might lead to remote code execution and non-authorized access to information.”

The findings build on three more flaws in the same product that were detailed by watchTowr back in June –

• CVE-2025-34509 (CVSS score: 8.2) – Use of hard-coded credentials
• CVE-2025-34510 (CVSS score: 8.8) – Post-authenticated remote code execution via path traversal
• CVE-2025-34511 (CVSS score: 8.8) – Post-authenticated remote code execution via Sitecore PowerShell Extension

watchTowr Labs researcher Piotr Bazydlo said the newly uncovered bugs could be fashioned into an exploit chain by bringing together the pre-auth HTML cache poisoning vulnerability with a post-authenticated remote code execution issue to compromise a fully-patched Sitecore Experience Platform instance.

The entire sequence of events leading up to code execution is as follows: A threat actor could leverage the ItemService API, if exposed, to trivially enumerate HTML cache keys stored in the Sitecore cache and send HTTP cache poisoning requests to those keys.

This could then be chained with CVE-2025-53691 to supply malicious HTML code that ultimately results in code execution by means of an unrestricted BinaryFormatter call.

“We managed to abuse a very restricted reflection path to call a method that lets us poison any HTML cache key,” Bazydlo said. “That single primitive opened the door to hijacking Sitecore Experience Platform pages – and from there, dropping arbitrary JavaScript to trigger a Post-Auth RCE vulnerability.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!