{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-34509","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2025-04-15T19:15:22.612Z","datePublished":"2025-06-17T18:20:57.441Z","dateUpdated":"2026-02-26T17:50:31.319Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Experience Manager","vendor":"Sitecore","versions":[{"lessThan":"10.4.1 rev. 011941 PRE","status":"affected","version":"10.4","versionType":"custom"},{"lessThan":"10.3.3 rev. 011967 PRE","status":"affected","version":"10.3","versionType":"custom"},{"lessThan":"10.1.4 rev. 011974 PRE","status":"affected","version":"10.1","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"Experience Platform","vendor":"Sitecore","versions":[{"lessThan":"10.4.1 rev. 011941 PRE","status":"affected","version":"10.4","versionType":"custom"},{"lessThan":"10.3.3 rev. 011967 PRE","status":"affected","version":"10.3","versionType":"custom"},{"lessThan":"10.1.4 rev. 011974 PRE","status":"affected","version":"10.1","versionType":"custom"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:sitecore:experience_manager:*:*:*:*:*:*:*:*","versionEndExcluding":"10.4.1","versionStartIncluding":"10.4","vulnerable":true},{"criteria":"cpe:2.3:a:sitecore:experience_manager:*:*:*:*:*:*:*:*","versionEndExcluding":"10.3.3","versionStartIncluding":"10.3","vulnerable":true},{"criteria":"cpe:2.3:a:sitecore:experience_manager:*:*:*:*:*:*:*:*","versionEndExcluding":"10.1.4","versionStartIncluding":"10.1","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"},{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:*","versionEndExcluding":"10.4.1","versionStartIncluding":"10.4","vulnerable":true},{"criteria":"cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:*","versionEndExcluding":"10.3.3","versionStartIncluding":"10.3","vulnerable":true},{"criteria":"cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:*","versionEndExcluding":"10.1.4","versionStartIncluding":"10.1","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"credits":[{"lang":"en","type":"finder","value":"Piotr Bazydlo of watchTowr"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP."}],"value":"Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-798","description":"CWE-798 Use of Hard-coded Credentials","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2025-12-27T16:47:40.562Z"},"references":[{"tags":["third-party-advisory","exploit","technical-description"],"url":"https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/"},{"tags":["vendor-advisory"],"url":"https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Update to patched versions."}],"value":"Update to patched versions."}],"source":{"discovery":"EXTERNAL"},"title":"Sitecore XM and XP Hardcoded Credentials","x_generator":{"engine":"vulncheck"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2025-34509","role":"CISA Coordinator","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-06-18T03:56:10.468989Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T17:50:31.319Z"}}]}}