Three new safety vulnerabilities have been disclosed within the Sitecore Expertise Platform that may very well be exploited to attain info disclosure and distant code execution.
The issues, per watchTowr Labs, are listed under –
- CVE-2025-53693 – HTML cache poisoning by means of unsafe reflections
- CVE-2025-53691 – Distant code execution (RCE) by means of insecure deserialization
- CVE-2025-53694 – Info Disclosure in ItemService API with a restricted nameless person, resulting in publicity of cache keys utilizing a brute-force strategy
Patches for the primary two shortcomings had been launched by Sitecore in June and for the third in July 2025, with the corporate stating that “profitable exploitation of the associated vulnerabilities would possibly result in distant code execution and non-authorized entry to info.”
The findings construct on three extra flaws in the identical product that had been detailed by watchTowr again in June –
- CVE-2025-34509 (CVSS rating: 8.2) – Use of hard-coded credentials
- CVE-2025-34510 (CVSS rating: 8.8) – Publish-authenticated distant code execution by way of path traversal
- CVE-2025-34511 (CVSS rating: 8.8) – Publish-authenticated distant code execution by way of Sitecore PowerShell Extension
watchTowr Labs researcher Piotr Bazydlo stated the newly uncovered bugs may very well be customary into an exploit chain by bringing collectively the pre-auth HTML cache poisoning vulnerability with a post-authenticated distant code execution difficulty to compromise a fully-patched Sitecore Expertise Platform occasion.
The complete sequence of occasions main as much as code execution is as follows: A risk actor might leverage the ItemService API, if uncovered, to trivially enumerate HTML cache keys saved within the Sitecore cache and ship HTTP cache poisoning requests to these keys.
This might then be chained with CVE-2025-53691 to provide malicious HTML code that finally ends in code execution by way of an unrestricted BinaryFormatter name.
“We managed to abuse a really restricted reflection path to name a technique that lets us poison any HTML cache key,” Bazydlo stated. “That single primitive opened the door to hijacking Sitecore Expertise Platform pages – and from there, dropping arbitrary JavaScript to set off a Publish-Auth RCE vulnerability.”
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the most recent breakthroughs, get unique updates, and join with a worldwide community of future-focused thinkers.
Unlock tomorrow’s tendencies right now: learn extra, subscribe to our e-newsletter, and develop into a part of the NextTech neighborhood at NextTech-news.com
