CVE-2025-34509

HIGH EXPLOITED NUCLEI

Sitecore Experience Commerce < 10.4 - Hard-coded Credentials

Title source: rule

Description

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Piotr Bazydlo, msutovsky-r7 · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/sitecore_xp_cve_2025_34510.rb

View Code ZIP pw:eip

Nuclei Templates (1)

Sitecore Experience Manager (XM) and Experience Platform (XP) - Hardcoded Credentials

HIGHVERIFIEDby daffainfo

Shodan: title:"sitecore"

References (2)

[Exploit, Third Party Advisory] https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/

[Vendor Advisory] https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667

Scores

CVSS v3 7.5

EPSS 0.1812

EPSS Percentile 95.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2025-06-22

CWE

CWE-798

Status published

Products (5)

sitecore/experience_commerce 9.0 - 10.4

sitecore/experience_manager 9.0 - 10.4

sitecore/experience_platform 10.4

sitecore/experience_platform 9.0 - 10.4

sitecore/managed_cloud

Published Jun 17, 2025

Tracked Since Feb 18, 2026