CVE-2025-34509

Published Jun 17, 2025

Last updated 3 months ago

CVSS high 7.5
Sitecore XM
Sitecore XP

Overview

Description
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
Source
disclosure@vulncheck.com
NVD status
Modified
Products
experience_commerce, experience_manager, experience_platform, managed_cloud

Risk scores

CVSS 3.1

Type
Primary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
HIGH

Weaknesses

disclosure@vulncheck.com
CWE-798

Social media

Hype score
Not currently trending

  1. 🚨 From Cloudflare Security Research Analysts 🚨 Fresh CVEs patched for Cloudflare WAF customers: 🔐 Sitecore (CVE-2025-34509/10/11): RCE via hardcoded creds + file upload 🧪 Grafana (CVE-2025-4123): XSS → malicious redirect ⚙️ LaRecipe (CVE-2025-53833): SSTI

    @Cloudflare

    5 Aug 2025

    7907 Impressions

    16 Retweets

    61 Likes

    12 Bookmarks

    2 Replies

    0 Quotes

  2. Pesquisadores descobriram três #vulnerabilidades no popular sistema #Sitecore Experience Platform: CVE-2025-34509 senha embutida no código. CVE-2025-34510 vulnerabilidade Zip Slip. CVE-2025-34511 permite que os usuários carreguem arquivos externos. https://t.co/rmIPS0G977

    @EChavarro

    7 Jul 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 3 vulnerabilidades en el sistema de administración de contenidos #Sitecore Experience Platform: - CVE-2025-34509 #contraseña codificada de forma rígida - CVE-2025-34510 es una #vulnerabilidad de Zip Slip - CVE-2025-34511 cargar archivos sin restricciones https://t.co/RvWjroYP

    @EChavarro

    1 Jul 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.CVE-2026-27262
  2. Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.CVE-2026-27266
  3. Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.CVE-2026-27265
  4. Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.CVE-2026-27256
  5. Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.CVE-2026-27257

References

Sources include official advisories and independent security research.