CVE-2025-34509

HIGH 7.5

Sitecore XM and XP Hardcoded Credentials

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.

CWE	CWE-798
Vendor	sitecore
Product	experience manager
Published	Jun 17, 2025
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for sitecore experience manager

Be the first to know when new high vulnerabilities affecting sitecore experience manager are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Sitecore / Experience Manager

10.4 < 10.4.1 rev. 011941 PRE 10.3 < 10.3.3 rev. 011967 PRE 10.1 < 10.1.4 rev. 011974 PRE

Sitecore / Experience Platform

10.4 < 10.4.1 rev. 011941 PRE 10.3 < 10.3.3 rev. 011967 PRE 10.1 < 10.1.4 rev. 011974 PRE

References

NVD ↗ CVE.org ↗ EPSS Data ↗

labs.watchtowr.com: https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/ support.sitecore.com: https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667

Credits

Piotr Bazydlo of watchTowr