CVE-2025-34511

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-34511
Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manager (XM) and Experience Platform (XP), through version 7.0 is vulnerable to an unrestricted file upload issue. A remote, authenticated attacker can upload arbitrary files to the server using crafted HTTP requests, resulting in remote code execution.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/ Exploit Third Party Advisory
https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:sitecore:experience_commerce:*:*:*:*:*:*:*:*
cpe:2.3:a:sitecore:experience_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:*
cpe:2.3:a:sitecore:experience_platform:10.4:-:*:*:*:*:*:*
cpe:2.3:a:sitecore:managed_cloud:-:*:*:*:*:*:*:*
History

08 Sep 2025, 19:10

Type Values Removed Values Added
References () https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/ - () https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/ - Exploit, Third Party Advisory
References () https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667 - () https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667 - Vendor Advisory
First Time Sitecore managed Cloud
Sitecore
Sitecore experience Manager
Sitecore experience Commerce
Sitecore experience Platform
CPE cpe:2.3:a:sitecore:experience_commerce:*:*:*:*:*:*:*:*
cpe:2.3:a:sitecore:experience_platform:10.4:-:*:*:*:*:*:*
cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:*
cpe:2.3:a:sitecore:managed_cloud:-:*:*:*:*:*:*:*
cpe:2.3:a:sitecore:experience_manager:*:*:*:*:*:*:*:*

22 Jul 2025, 14:15

Type Values Removed Values Added
References
  • () https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667 -

17 Jun 2025, 20:50

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-17 19:15

Updated : 2025-09-08 19:10

NVD link : CVE-2025-34511

Mitre link : CVE-2025-34511

CVE.ORG link : CVE-2025-34511

JSON object : View

Products Affected

sitecore

  • experience_commerce
  • experience_manager
  • experience_platform
  • managed_cloud
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type