Summary

WatchTowr researchers have identified a chain of critical vulnerabilities in Sitecore Experience Platform (XP) and its commonly deployed PowerShell Extensions. These issues allow both pre-authentication and post-authentication remote code execution (RCE), impacting a wide range of deployments. The chain begins with the abuse of hardcoded credentials and leads to arbitrary file write via unsafe upload handling and archive extraction. In parallel, a separate vulnerability in the Sitecore PowerShell Extension allows attackers to upload arbitrary files to attacker-specified paths with minimal complexity.

If exploited, these vulnerabilities can lead to complete server compromise and persistent access via webshells or malicious scripts.

Affected Systems and/or Applications

• Sitecore XP prior to v10.4 (for WT-2025-0024 & WT-2025-0032)
• Sitecore PowerShell Extensions (all versions prior to patch) (for WT-2025-0025)
• All deployments where the ServicesAPI user is present and accessible
• All instances with default or misconfigured authentication, or SXA installations

Technical Details

WT-2025-0024 (CVE-2025-34509) – Hardcoded Credentials

watchTowr researchers have identified that recent versions of Sitecore XP (10.1–10.4) include hardcoded, low-privileged internal user accounts—most notably the sitecore\ServicesAPI user—with weak, pre-set passwords, including the trivially guessable password: b. These credentials are identical across all default installations due to being hardcoded in Sitecore’s database setup files (.dacpac). While the ServicesAPI account lacks administrative roles, attackers can still exploit this account to bypass anonymous restrictions, generate valid session cookies, and expand their attack surface within Sitecore environments.

Vulnerability Details

• Passwords are not randomized per installation, meaning any attacker who cracks the password once can authenticate across vulnerable deployments.
• Authentication via /sitecore/admin bypasses backend role checks and allows valid session generation, even without elevated privileges.
• Successful login results in .AspNet.Cookies being issued, allowing access to protected resources otherwise unavailable to unauthenticated users.
• Weak password hashes originate from the Sitecore installation DACPAC, which seeds the core database with static user credentials.

WT-2025-0032 (CVE-2025-34510) – Post-Auth RCE (Via Path Traversal)

CVE-2025-34510 is a path traversal vulnerability in Sitecore Experience Platform’s ZIP file handling within the uiUpload pipeline. When a ZIP archive is uploaded via Upload2.aspx with the Unzip=1 parameter, the internal method SaveUnpackedFiles processes each entry without sanitizing path traversal sequences (e.g., ../).

Due to the use of FileUtil.MapPath, specially crafted ZIP entries (e.g., /\/../webshell.aspx) are mapped to the webroot directory, allowing arbitrary file write. This enables attackers to upload a webshell to the Sitecore application directory, leading to remote code execution.

WT-2025-0025 (CVE-2025-34511) – Unrestricted File Upload in PowerShell Extensions

A separate post-authentication RCE vulnerability exists in PowerShellUploadFile2.aspx, part of the Sitecore PowerShell Extension. Attackers can define file name, path, and extension freely due to the complete lack of validation in uploadArgs.

• Vulnerable Endpoint:
  /sitecore modules/Shell/PowerShell/UploadFile/PowerShellUploadFile2.aspx
• Exploit:
  Send a POST request with multipart/form-data, setting ItemUri, Folder, and attaching a malicious .aspx file.
• Impact:
  Full arbitrary file upload as an authenticated ServicesAPI user, leading to easy RCE.

Mitigation & Recommendations

To mitigate the risks associated with this vulnerability, the following actions should be prioritized:

Immediate Actions

• Upgrade to Sitecore XP v10.4 or later, where WT-2025-0024 and WT-2025-0032 are patched. – fixed version: 10.4 (May 2025 Update)‍
• Apply updates to the Sitecore PowerShell Extensions as released by the vendor.
• Audit for presence of ServicesAPI accounts and disable or rotate credentials where applicable.

Recommended Hardening

• Restrict access to /sitecore endpoints at the application gateway or firewall layer.
• Implement upload file validation and extension filtering, especially for .aspx, .php, .jsp etc.
• Monitor logs for anomalous activity involving:
  • /Upload2.aspx?hdl=…
  • /PowerShellUploadFile2.aspx
  • Access to unexpected .aspx files in webroot or /sitecore modules/

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation and send an advisory update if needed. Mentioned action is required to mitigate potential exploitation by restricting access, and enhancing security monitoring. These vulnerabilities demonstrate the impact of weak access control, legacy credential management, and insecure file handling practices in enterprise web applications

References

Is b For Backdoor? Pre-Auth RCE Chain In Sitecore Experience Platform
Pre-Authenticated RCE Chain Disclosed in Sitecore XP | Arctic Wolf

‍