Sitecore CMS Platform Vulnerabilities Enables Remote Code Execution
Cybersecurity
Sitecore Experience Platform Vulnerabilities
Critical vulnerabilities have been identified in the Sitecore Experience Platform, enabling attackers to fully compromise systems through a complex attack chain. This involves HTML cache poisoning and remote code execution.
These vulnerabilities also allow attackers to enumerate cache keys and configuration details via the exposed ItemServices API, facilitating targeted exploitation.
Key Vulnerabilities
- CVE-2025-53693: Allows attackers to inject HTML via AddToCache.
- CVE-2025-53691: Exploits BinaryFormatter.Deserialize() for full code execution.
- CVE-2025-53694: Exposes cache key details, aiding targeted attacks.
Technical Details
The primary vulnerability, CVE-2025-53693, enables HTML cache poisoning through unsafe reflection mechanisms in the XamlPageHandlerFactory handler. The attack exploits the AjaxScriptManager.DispatchMethod() function, which dynamically invokes methods based on user-supplied parameters. Attackers can target the endpoint at /-/xaml/Sitecore.Shell.Xaml.WebControl with crafted POST requests containing malicious __PARAMETERS and __SOURCE values.
The core exploitation occurs through the AddToCache(string, string) method in Sitecore.Web.UI.WebControl, allowing attackers to inject arbitrary HTML into Sitecore’s cache system.
The second critical vulnerability, CVE-2025-53691, enables remote code execution through insecure deserialization in the BinaryFormatter.Deserialize() method. This vulnerability exists in the Sitecore.Convert.Base64ToObject() function, processing base64-encoded objects without validation. The attack chain leverages the ConvertToRuntimeHtml pipeline, targeting iframe elements with embedded serialized payloads.
Additionally, CVE-2025-53694 exposes sensitive information via the ItemServices API, allowing attackers to enumerate cache keys and system configurations. This vulnerability provides unauthorized access to Sitecore item metadata, including caching settings and device configurations, facilitating targeted cache poisoning attacks.
Vulnerability Severity
| CVE | Title | Severity |
|---|---|---|
| CVE-2025-53693 | HTML Cache Poisoning | High |
| CVE-2025-53691 | Deserialization Remote Code Execution | Critical |
| CVE-2025-53694 | ItemServices Metadata Disclosure | High |
Mitigation and Updates
Sitecore has released patches for these vulnerabilities in June and July 2025. Organizations using the Sitecore Experience Platform are advised to apply these security updates promptly and review their ItemServices API exposure to prevent exploitation of these security flaws, which impact numerous enterprise installations globally.
-
Expense Apps Add Budgeting for Irregular Incomes
In an era where the gig economy is burgeoning, traditional budgeting methods ... -
-
-
