Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HSitecore Experience Commerce
APPSitecore≤ 9.0Sitecore Experience Manager
APPSitecore≤ 9.0Sitecore Experience Platform
APPSitecore≤ 9.0Sitecore Managed Cloud
APPSitecorewszystkie wersje
CISA KEV — detailsi
- Vendori
- Sitecore
- Producti
- Multiple Products
- Added to KEVi
- September 4, 2025
- Remediation deadline (US Federal)i
- September 25, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.
Related vulnerabilities
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attac...
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0...
Unsafe Reflection umożliwiający Cache Poisoning w Sitecore XM/XP
Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, ...
Deserialization of Untrusted Data in Sitecore Experience Platform through 10.2 allows remote attackers to run ...