CVE-2025-53694 PoC — Information Disclosure in ItemServices API

Source

https://github.com/blueisbeautiful/CVE-2025-53694

Associated Vulnerability

Title:Information Disclosure in ItemServices API (CVE-2025-53694)
Description:Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP).This issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4.

Description

Information Disclosure in ItemService API with a restricted anonymous user, leading to exposure of cache keys using a brute-force approach

Readme

### CVE-2025-53694: Information Disclosure in ItemService API with a restricted anonymous user, leading to exposure of cache keys using a brute-force approach

The ItemService API, accessible at `/sitecore/shell/api/sitecore/ItemService/GetChildren`, allows unauthenticated users to query the Sitecore database. By providing a valid item GUID and database name, an attacker can enumerate the internal structure of the Sitecore instance, including sensitive information about items, templates, and system configuration.

**Information Disclosure:** The attacker uses CVE-2025-53694 to gather information about the target system.

## Mitigation

Sitecore has released patches for this vulnerabilitie. It is strongly recommended to upgrade to the latest version of Sitecore XP or apply the provided security patches.

## Reference

[1] Watchtowr Labs. (2025). [*Cache Me If You Can: Sitecore Experience Platform Cache Poisoning to RCE*.](https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/)

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!