High severity7.5NVD Advisory· Published Jun 17, 2025· Updated Jun 17, 2026
CVE-2025-34509
CVE-2025-34509
Description
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
410.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE+ 1 more
- (no CPE)range: 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE
- (no CPE)range: 10.4
10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE+ 1 more
- (no CPE)range: 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE
- (no CPE)range: 10.4
Patches
Vulnerability mechanics
References
2- labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/nvdExploitThird Party Advisory
- support.sitecore.com/kbnvdVendor Advisory
News mentions
0No linked articles in our index yet.