Unrated severityNVD Advisory· Published Jun 17, 2025· Updated Feb 26, 2026

Sitecore XM and XP Hardcoded Credentials

CVE-2025-34509

Description

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.

Affected products

Sitecore/Experience Platform (XP)llm-fuzzy
Range: >=10.1 <=10.1.4 rev. 011974 PRE, =10.2.*, >=10.3 <=10.3.3 rev. 011967 PRE, >=10.4 <=10.4.1 rev. 011941 PRE
Sitecore/Sitecore Experience Manager (XM)llm-fuzzy
Range: >=10.1 <=10.1.4 rev. 011974 PRE, =10.2.*, >=10.3 <=10.3.3 rev. 011967 PRE, >=10.4 <=10.4.1 rev. 011941 PRE
Sitecore/Experience Managerv5
Range: 10.4
Sitecore/Experience Platformv5
Range: 10.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/mitrethird-party-advisoryexploittechnical-description
support.sitecore.com/kbmitrevendor-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.013
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000