CVE-2025-34510
HIGH EXPLOITEDSitecore XP CVE-2025-34510 Post-Authentication Remote Code Execution
Title source: metasploitExploitation Summary
CVE-2025-34510 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.
References (2)
Core 2
Core References
Exploit, Third Party Advisory third-party-advisory
exploit
technical-description
https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/
Vendor Advisory vendor-advisory
https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667
Scores
CVSS v3
8.8
EPSS
0.0931
EPSS Percentile
94.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
VulnCheck KEV
2025-06-22
CWE
CWE-23
Status
published
Products (5)
sitecore/experience_commerce
9.0 - 10.4
sitecore/experience_manager
9.0 - 10.4
sitecore/experience_platform
10.4
sitecore/experience_platform
9.0 - 10.4
sitecore/managed_cloud
Published
Jun 17, 2025
Tracked Since
Feb 18, 2026