Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
References
| Link | Resource |
|---|---|
| https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/ | Exploit Third Party Advisory |
| https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
08 Sep 2025, 19:17
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:sitecore:experience_commerce:*:*:*:*:*:*:*:* cpe:2.3:a:sitecore:experience_platform:10.4:-:*:*:*:*:*:* cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:* cpe:2.3:a:sitecore:managed_cloud:-:*:*:*:*:*:*:* cpe:2.3:a:sitecore:experience_manager:*:*:*:*:*:*:*:* |
|
| References | () https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/ - Exploit, Third Party Advisory | |
| References | () https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667 - Vendor Advisory | |
| First Time |
Sitecore managed Cloud
Sitecore Sitecore experience Manager Sitecore experience Commerce Sitecore experience Platform |
22 Jul 2025, 14:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
17 Jun 2025, 20:50
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-06-17 19:15
Updated : 2025-09-08 19:17
NVD link : CVE-2025-34509
Mitre link : CVE-2025-34509
CVE.ORG link : CVE-2025-34509
JSON object : View
Products Affected
sitecore
- experience_commerce
- experience_manager
- experience_platform
- managed_cloud
CWE
CWE-798
Use of Hard-coded Credentials