CVE-2021-42237

CRITICAL KEV RANSOMWARE NUCLEI

Sitecore Experience Platform 7.5-8.2 Update-7 - Unauthenticated Remote Code Execution via Insecure Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-42237 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022, with confirmed use in ransomware campaigns. EIP tracks 6 public exploits from researchers including vesperp, crankyyash, AssetNote, gwillcox-r7, including a Metasploit module exploits/windows/http/sitecore_xp_cve_2021_42237. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2021-42237, a deserialization vulnerability in Sitecore XP, by sending a malicious XML payload to trigger remote code execution via a crafted `ComparisonComparer` delegate. The payload executes a DNS lookup command to confirm exploitation.

Description

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.

Exploits (6)

nomisec WORKING POC 1 stars
by vesperp · remote
https://github.com/vesperp/CVE-2021-42237-SiteCore-XP

This PoC exploits CVE-2021-42237, a deserialization vulnerability in Sitecore XP, by sending a malicious XML payload to trigger remote code execution via a crafted `ComparisonComparer` delegate. The payload executes a DNS lookup command to confirm exploitation.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Sitecore XP (version not specified)
No auth needed
Prerequisites: Target URL list in `target.txt` · DNSLOG platform for verification
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by crankyyash · poc
https://github.com/crankyyash/SiteCore-RCE-Detection

This repository contains a Python script that scans for CVE-2021-42237, a pre-auth RCE vulnerability in Sitecore Experience Platform. It checks for vulnerable versions and tests the vulnerable endpoint (Report.ashx) via GET and POST requests.

Classification
Scanner 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Sitecore Experience Platform (versions < 9.0)
No auth needed
Prerequisites: List of target URLs in a text file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/ItsIgnacioPortal/CVE-2021-42237

This repository contains a functional exploit for CVE-2021-42237, a deserialization vulnerability in Sitecore. The PoC leverages a crafted XML payload to achieve remote code execution (RCE) via a SortedSet deserialization gadget chain.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sitecore
No auth needed
Prerequisites: Access to the Sitecore instance · Network connectivity to the target
devstral-2 · analyzed Feb 25, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/pinkdev1/cve-2021-42237

This repository contains a functional exploit for CVE-2021-42237, a deserialization vulnerability in Sitecore XP. The PoC leverages a crafted XML payload to achieve remote code execution (RCE) via a .NET deserialization gadget chain.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sitecore XP (versions affected by CVE-2021-42237)
No auth needed
Prerequisites: Access to the Sitecore Reporting endpoint (/sitecore/shell/ClientBin/Reporting/Report.ashx)
devstral-2 · analyzed Feb 23, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/itsignacioportal/cve-2021-42237

This repository contains a functional exploit for CVE-2021-42237, a deserialization vulnerability in Sitecore. The PoC includes a crafted XML payload that triggers remote code execution via a malicious SortedSet comparator.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sitecore
No auth needed
Prerequisites: Access to the Sitecore instance · Network connectivity to the target
devstral-2 · analyzed Feb 23, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by AssetNote, gwillcox-r7 · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/sitecore_xp_cve_2021_42237.rb

This Metasploit module exploits a pre-authentication deserialization vulnerability in Sitecore XP's Report.ashx handler, leading to arbitrary code execution as NT AUTHORITY\NETWORK SERVICE. It uses a crafted XML payload with a TypeConfuseDelegate gadget chain to trigger RCE.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sitecore XP 7.5 to 7.5.2, 8.0 to 8.0.7, 8.1 to 8.1.3, and 8.2 to 8.2.7
No auth needed
Prerequisites: Access to the Report.ashx endpoint · Vulnerable Sitecore XP version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Sitecore Experience Platform Pre-Auth RCE
CRITICALby pdteam
Shodan: http.title:"SiteCore" || http.title:"sitecore"
FOFA: title="sitecore"

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.9921
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-03-25
VulnCheck KEV 2022-03-25
InTheWild.io 2021-11-05
ENISA EUVD EUVD-2021-29215
Ransomware Use Confirmed
CWE
CWE-502
Status published
Products (4)
sitecore/experience_platform 7.5 (3 CPE variants)
sitecore/experience_platform 8.0 (9 CPE variants)
sitecore/experience_platform 8.1 (4 CPE variants)
sitecore/experience_platform 8.2 (8 CPE variants)
Published Nov 05, 2021
KEV Added Mar 25, 2022
Tracked Since Feb 18, 2026