CVE-2025-27218

Published Feb 20, 2025

Last updated a year ago

CVSS medium 5.3

Overview

Description
Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization.
Source
cve@mitre.org
NVD status
Received

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.3
Impact score
1.4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity
MEDIUM

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-94

Social media

Hype score
Not currently trending

  1. 🚨 Sitecore Zero-Day (≤10.4) CVE-2025-27218 delivers malware - no login needed. • Unsafe deserialization exploit • Hard to detect (500 errors) 🔒 Test before attackers do. ➡️ Get 3 private - pentest bids at https://t.co/4ZmseOiu9a 🔗 https://t.co/ESPbaVmRxm https:

    @PenTestBids

    4 Sept 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. #threatreport #LowCompleteness Is b For Backdoor? Pre-Auth RCE Chain In Sitecore Experience Platform | 17-06-2025 Source: https://t.co/54tI7XiiLy Key details below ↓ 💀Threats: Kekw, 🎯Victims: Sitecore, Enterprise 🔓CVEs: CVE-2025-27218 \[[Vulners](https://t.co/Ih14s

    @rst_cloud

    20 Jun 2025

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CISA KEV 警告 25/03/26:6年前に発見された Sitecore CMS/XP の脆弱性を登録 https://t.co/zaDPdgGNXo Sitecore CMS/XP の、古い脆弱性が CISA KEV に登録されました。 つい先日の 2025/03/06 には、「Sitecore の脆弱性 CVE-2025-27218 が FIX:認証を必要としない RCE

    @iototsecnews

    7 Apr 2025

    29 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. This week's RCEs are locked in: Tomcat Partial PUT Java Deserialization, CmsMadeSimple, and Sitecore CVE-2025-27218. Plus, we've added more PKCS12 certificate storage. https://t.co/61en5S4FSR

    @metasploit

    4 Apr 2025

    2974 Impressions

    7 Retweets

    27 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  5. Sitecore "thumbnailsaccesstoken" Deserialization Scans (and some new reports) CVE-2025-27218 https://t.co/N0aDbnbkIh @SLCyberSec https://t.co/SPsGIhXbBC

    @sans_isc

    27 Mar 2025

    1059 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  6. Sitecore "thumbnailsaccesstoken" Deserialization Scans (and some new reports) CVE-2025-27218 https://t.co/N0aDbnbSxP https://t.co/nEUt7EgLgB

    @sans_isc

    27 Mar 2025

    264 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Sitecore: Unsafe Deserialisation Again! (CVE-2025-27218) › Searchlight Cyber https://t.co/Edrz7dlAVo https://t.co/eU7iw4pDvr

    @z0_enix

    8 Mar 2025

    32 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Our security research team discovered a pre-auth RCE (CVE-2025-27218) in Sitecore XP 10.4. You can read our research here: https://t.co/CzoIe0mlO2

    @assetnote

    6 Mar 2025

    4186 Impressions

    12 Retweets

    103 Likes

    24 Bookmarks

    0 Replies

    0 Quotes

  9. Nice assessment of Sitecore XM + XP remote code execution CVE-2025-27218 c/o @rapid7's pen testing team 🎉 https://t.co/N1FHZsXeV6

    @catc0n

    5 Mar 2025

    2708 Impressions

    10 Retweets

    37 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2025-27218 Unauthenticated Remote Code Execution in Sitecore Experience Manager 10.4 https://t.co/AXHQzkSCZn

    @VulmonFeeds

    20 Feb 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. CVE-2025-27218 Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization. https://t.co/2qHoGxgwEV

    @CVEnew

    20 Feb 2025

    485 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.