Exploitation Summary
CVE-2019-9874 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 26, 2025. A Nuclei detection template is also available.
Description
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
Nuclei Templates (1)
Sitecore Experience Platform - Deserialization of Untrusted Data
CRITICALVERIFIEDby ritikchaddha
Shodan:
http.html:"SitecoSitecore Experience Platform"
FOFA:
body="Sitecore Experience Platform"
References (4)
Core 4
Core References
Product, Vendor Advisory x_refsource_misc
https://dev.sitecore.net/Downloads.aspx
Third Party Advisory x_refsource_misc
https://www.synacktiv.com/blog.html
Exploit, Patch, Third Party Advisory x_refsource_misc
https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9874
Scores
CVSS v3
9.8
EPSS
0.8763
EPSS Percentile
99.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
yes
Technical Impact
total
Details
CISA KEV
2025-03-26
VulnCheck KEV
2025-03-26
ENISA EUVD
EUVD-2019-19230
CWE
CWE-502
Status
published
Products (2)
sitecore/cms
7.0 - 7.2
sitecore/experience_platform
7.5 - 8.2
Published
May 31, 2019
KEV Added
Mar 26, 2025
Tracked Since
Feb 18, 2026