6 days ago
Enterprise Alarms Sound Over Sitecore XP Remote‑Code‑Execution Chain
Security experts have identified a critical and exploitable chain of vulnerabilities in Sitecore Experience Platform that enables pre-authenticated remote code execution, sparking concern among enterprises that deploy the CMS. The flaws include a hard‑coded single‑character credential in an internal account, coupled with two post-authentication flaws facilitating arbitrary file uploads—one through a zip‑slip path‑traversal and another via Sitecore PowerShell Extensions.
The most troubling discovery centres on the sitecoreServicesAPI account, which—despite being an internal user—is shipped with a default password set to 'b'. This credential was uncovered in Sitecore XP versions 10.1 and above, leaving the back-end exposed to threat actors. Once authenticated with this weak password, attackers can leverage two follow‑on vulnerabilities: the zip‑slip in and an unrestricted upload in PowerShell extensions, enabling them to deploy web shells and execute arbitrary code.
Analysis of the attack chain shows that authentication as the ServicesAPI user bypasses typical IIS and API endpoint authorisation rules. Despite it having no explicit roles, the account can trigger the zip‑slip flaw to unzip malicious payloads under the web root folder. Additionally, the PowerShell Extensions vulnerability allows arbitrary file uploads without type restrictions—further easing weaponisation.
ADVERTISEMENT
Worryingly, millions of instances of Sitecore XP are publicly exposed on the internet, including installations at major banks, airlines, and Fortune 500 companies. The chained exploit makes these installations highly vulnerable to supply‑chain and enterprise‑level breaches.
Sitecore had not released Common Vulnerabilities and Exposures identifiers at the time of disclosure, but the platform's security team implemented patches in June 2025. Vendors and managed cloud providers have been urged to deploy hotfixes immediately and ensure legacy accounts like ServicesAPI have their credentials updated or disabled.
In parallel, independent researchers uncovered an additional unauthenticated RCE flaw, CVE‑2025‑27218, affecting version 10.4.1 and above. This vulnerability stems from unsafe deserialisation and can be triggered without authentication—underscoring multiple independent threat vectors.
Industry analysts warn that organisations which upgraded Sitecore XP by re‑importing default databases may have inadvertently inherited the hard‑coded password vulnerability, even if they bypassed new installers. Conversely, installations that preserved older databases may be unaffected by the ServicesAPI credential flaw.
Enterprises still using unpatched Sitecore XP systems face a high risk. The threat actors who reverse‑engineered the fix have demonstrated full exploit chains in live environments. The price of inaction is steep: exposure of sensitive data, defacement, and enterprise‑wide ransomware implications.
Security leaders recommend urgent steps: apply Sitecore's June hotfixes, enforce credential rotation policies—especially for default or internal accounts—and fortify monitoring of CMS endpoints. Additional defensive layers are suggested: web application firewalls, integrity monitoring for uploads, and extensive penetration testing focused on CMS deserialization and file‑handling components.
