CVE-2019-9875

HIGH KEV

Sitecore <9.1 - Code Injection

Title source: llm

Description

Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter.

References (4)

[Product, Vendor Advisory] https://dev.sitecore.net/Downloads.aspx

[Third Party Advisory] https://www.synacktiv.com/blog.html

[Exploit, Patch, Third Party Advisory] https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9875

Scores

CVSS v3 8.8

EPSS 0.2477

EPSS Percentile 96.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

CISA KEV 2025-03-26

VulnCheck KEV 2025-03-26

ENISA EUVD EUVD-2019-19231

Classification

CWE

CWE-502

Status published

Affected Products (1)

sitecore/cms < 9.1

Timeline

Published May 31, 2019

KEV Added Mar 26, 2025

Tracked Since Feb 18, 2026