Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.
References
| Link | Resource |
|---|---|
| https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/ | Exploit Third Party Advisory |
| https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
08 Sep 2025, 19:22
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Sitecore managed Cloud
Sitecore Sitecore experience Manager Sitecore experience Commerce Sitecore experience Platform |
|
| CPE | cpe:2.3:a:sitecore:experience_commerce:*:*:*:*:*:*:*:* cpe:2.3:a:sitecore:experience_platform:10.4:-:*:*:*:*:*:* cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:* cpe:2.3:a:sitecore:managed_cloud:-:*:*:*:*:*:*:* cpe:2.3:a:sitecore:experience_manager:*:*:*:*:*:*:*:* |
|
| References | () https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/ - Exploit, Third Party Advisory | |
| References | () https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667 - Vendor Advisory |
17 Jun 2025, 20:50
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-06-17 19:15
Updated : 2025-09-08 19:22
NVD link : CVE-2025-34510
Mitre link : CVE-2025-34510
CVE.ORG link : CVE-2025-34510
JSON object : View
Products Affected
sitecore
- experience_commerce
- experience_manager
- experience_platform
- managed_cloud
CWE
CWE-23
Relative Path Traversal