CVE-2019-9874

CRITICAL KEV NUCLEI

Sitecore CMS 7.0-8.2 - Code Injection

Title source: llm

Description

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.

Nuclei Templates (1)

Sitecore Experience Platform - Deserialization of Untrusted Data

CRITICALVERIFIEDby ritikchaddha

Shodan: http.html:"SitecoSitecore Experience Platform"

FOFA: body="Sitecore Experience Platform"

References (4)

[Product, Vendor Advisory] https://dev.sitecore.net/Downloads.aspx

[Third Party Advisory] https://www.synacktiv.com/blog.html

[Exploit, Patch, Third Party Advisory] https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9874

Scores

CVSS v3 9.8

EPSS 0.7990

EPSS Percentile 99.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

CISA KEV 2025-03-26

VulnCheck KEV 2025-03-26

ENISA EUVD EUVD-2019-19230

Classification

CWE

CWE-502

Status published

Affected Products (2)

sitecore/cms < 7.2

sitecore/experience_platform < 8.2

Timeline

Published May 31, 2019

KEV Added Mar 26, 2025

Tracked Since Feb 18, 2026