CVE-2025-27218
MEDIUM EXPLOITED NUCLEISitecore Experience Manager (XM)/Experience Platform (XP) 10.4 - Insecure Deserialization
Title source: nucleiDescription
Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization.
Exploits (2)
exploitdb
WORKING POC
by Yesith Alvarez · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52344
metasploit
WORKING POC
EXCELLENT
by Dylan Pindur, machang-r7 · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/sitecore_xp_cve_2025_27218.rb
Nuclei Templates (1)
Sitecore Experience Manager (XM)/Experience Platform (XP) 10.4 - Insecure Deserialization
MEDIUMVERIFIEDby iamnoooob,rootxharsh,pdresearch
Scores
CVSS v3
5.3
EPSS
0.7611
EPSS Percentile
98.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
VulnCheck KEV
2025-03-27
CWE
CWE-94
Status
published
Published
Feb 20, 2025
Tracked Since
Feb 18, 2026