CVE-2025-34509— Sitecore XM and XP Hardcoded Credentials
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-34509
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Sitecore XM and XP Hardcoded Credentials
Source: NVD (National Vulnerability Database)
Vulnerability Description
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用硬编码的凭证
Source: NVD (National Vulnerability Database)
Vulnerability Title
Sitecore Experience Platform和Sitecore Experience Manager 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Sitecore Experience Platform(XP)和Sitecore Experience Manager(XM)都是丹麦Sitecore公司的产品。Sitecore Experience Platform是一套客户数字体验平台。Sitecore Experience Manager是一个管理软件。 Sitecore Experience Platform和Sitecore Experience Manager存在安全漏洞,该漏洞源于硬编码用户账户,可能导致未经验证的远程攻击者访问管理API
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Sitecore | Experience Manager | 10.4 ~ 10.4.1 rev. 011941 PRE | - | |
| Sitecore | Experience Platform | 10.4 ~ 10.4.1 rev. 011941 PRE | - |
II. Public POCs for CVE-2025-34509
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-34509.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-34509
请登录查看更多情报信息。
- Is b For Backdoor? Pre-Auth RCE Chain In Sitecore Experience Platformthird-party-advisoryexploittechnical-description
- Security Bulletins - Security Bulletin SC2025-003vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-34509
Same Patch Batch · Sitecore · 2025-06-17 · 3 CVEs total
| CVE-2025-34510 | 8.8 HIGH | Sitecore XM, XC, and XP Post-Auth RCE via Zip Slip |
| CVE-2025-34511 | 8.8 HIGH | Sitecore PowerShell Extension RCE via Unrestricted Upload |
IV. Related Vulnerabilities
Same product: Experience Manager
Same vendor: Sitecore
- CVE-2025-53692
Sitecore Experience Platform Cross-Site Scripting Vulnerabil - CVE-2025-53690
Sitecore Products ViewState Deserialization Vulnerability - CVE-2025-53691
Sitecore Experience Remote Code Execution through Insecure D - CVE-2025-53693
HTML Cache Poisoning through Unsafe Reflections - CVE-2025-53694
Information Disclosure in ItemServices API
Same weakness: CWE-798
- CVE-2026-7414
Hardcoded credentials in Yarbo robot firmware - CVE-2026-8032
PicoTronica e-Clinic Healthcare System ECHS echs.js hard-cod - CVE-2026-32834
Easy PayPal Events & Tickets 1.3 Authentication Bypass via Q - CVE-2026-42376
D-Link DIR-456U A1 Hardcoded Telnet Backdoor Credentials - CVE-2026-42375
D-Link DIR-600L A1 Hardcoded Telnet Backdoor Credentials
V. Comments for CVE-2025-34509
No comments yet