Sitecore Exploit Chain Links Cache Poisoning to RCE

/ Daily Cyber News, Exploitation, Vulnerabilities
fake tesla websites

New Vulnerabilities in Sitecore Experience Platform

Security researchers from watchTowr Labs have uncovered three critical vulnerabilities in the Sitecore Experience Platform. If exploited, these flaws could allow attackers to perform information disclosure and even achieve remote code execution (RCE) on targeted systems.

The reported vulnerabilities include:

  • CVE-2025-53693 – HTML cache poisoning caused by unsafe reflections.
  • CVE-2025-53691 – Remote code execution via insecure deserialization.
  • CVE-2025-53694 – Information disclosure through the ItemService API with a restricted anonymous user, exposing cache keys by brute force.

Sitecore released patches for CVE-2025-53693 and CVE-2025-53691 in June 2025, and a fix for CVE-2025-53694 followed in July 2025. The company warned that exploitation could result in unauthorized access and system compromise.

Previously Discovered Issues

These new flaws follow three earlier Sitecore bugs detailed by watchTowr in June:

  • CVE-2025-34509 (CVSS 8.2) – Use of hard-coded credentials.
  • CVE-2025-34510 (CVSS 8.8) – Post-authenticated RCE via path traversal.
  • CVE-2025-34511 (CVSS 8.8) – Post-authenticated RCE through Sitecore PowerShell Extension.

Exploit Chain Possibility

According to Piotr Bazydlo, a researcher at watchTowr Labs, these vulnerabilities can be combined into a powerful exploit chain. For example, an attacker could:

  1. Abuse the ItemService API to enumerate HTML cache keys.
  2. Send HTTP cache poisoning requests to those keys.
  3. Chain the attack with CVE-2025-53691, injecting malicious HTML payloads.
  4. Trigger remote code execution using an unrestricted BinaryFormatter call.

Bazydlo explained that even a limited reflection path was enough to poison HTML cache keys. This allowed attackers to hijack Sitecore pages, inject malicious JavaScript, and exploit post-authentication RCE vulnerabilities.

Security Recommendation

Organizations running Sitecore should:

  • Immediately apply the latest security patches.
  • Restrict public access to the ItemService API.
  • Monitor for suspicious cache poisoning attempts.

By addressing these risks quickly, businesses can reduce the chance of attackers chaining these flaws into a full system compromise.

Related Posts