CVE-2025-27218

MEDIUM EXPLOITED NUCLEI

Sitecore Experience Manager (XM)/Experience Platform (XP) 10.4 - Insecure Deserialization

Title source: nuclei

Exploitation Summary

CVE-2025-27218 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Yesith Alvarez, Dylan Pindur, machang-r7, including a Metasploit module exploits/windows/http/sitecore_xp_cve_2025_27218. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets a deserialization vulnerability in Sitecore 10.3-10.4, allowing remote code execution via a crafted payload in the 'Thumbnailsaccesstoken' header. The payload is a base64-encoded ysoserial.net-generated BinaryFormatter object.

Description

Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization.

Exploits (2)

exploitdb WORKING POC

by Yesith Alvarez · pythonwebappsmultiple

https://www.exploit-db.com/exploits/52344

View Code ZIP pw:eip

This exploit targets a deserialization vulnerability in Sitecore 10.3-10.4, allowing remote code execution via a crafted payload in the 'Thumbnailsaccesstoken' header. The payload is a base64-encoded ysoserial.net-generated BinaryFormatter object.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Sitecore 10.3 - 10.4

No auth needed

Prerequisites: ysoserial.net to generate the payload · network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Dylan Pindur, machang-r7 · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/sitecore_xp_cve_2025_27218.rb

View Code ZIP pw:eip

This Metasploit module exploits a .NET deserialization vulnerability in Sitecore XP/XM 10.4 via a malicious Base64-encoded BinaryFormatter payload injected into the 'Thumbnailsaccesstoken' HTTP header, leading to remote code execution.

Classification

Working Poc 100%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4

No auth needed

Prerequisites: Target running Sitecore XP/XM 10.4 · Network access to the target's HTTP/HTTPS service

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Sitecore Experience Manager (XM)/Experience Platform (XP) 10.4 - Insecure Deserialization

MEDIUMVERIFIEDby iamnoooob,rootxharsh,pdresearch

References (1)

Core 1

Core References

Various Sources

https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003535

Scores

CVSS v3 5.3

EPSS 0.7568

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

VulnCheck KEV 2025-03-27

CWE

CWE-94

Status published

Published Feb 20, 2025

Tracked Since Feb 18, 2026