CVE-2025-34509

Published Jun 17, 2025

Last updated 2 months ago

Sitecore XM

Sitecore XP

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-34509 involves a hardcoded user account vulnerability found in Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE. This flaw allows unauthenticated, remote attackers to gain access to the administrative API over HTTP. The hardcoded credentials originate from within the Sitecore installer, which imports a pre-configured user database with the ServicesAPI password set to 'b'. Successful exploitation of this vulnerability enables remote attackers to authenticate as the ServicesAPI user, thereby accessing various APIs and endpoints within the Sitecore platform. Although the ServicesAPI user has no roles assigned by default, the authenticated session can bypass IIS authorization rules and access multiple aspx files stored in prohibited directories, significantly expanding the attack surface.

Description: Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
Source: disclosure@vulncheck.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 8.2
Impact score: 4.2
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Severity: HIGH

Weaknesses

disclosure@vulncheck.com: CWE-798

Hype score: Not currently trending

References