Vulnerability Description
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sitecore | Experience Commerce | >= 9.0, <= 10.4 |
| Sitecore | Experience Manager | >= 9.0, <= 10.4 |
| Sitecore | Experience Platform | >= 9.0, < 10.4 |
| Sitecore | Managed Cloud | - |
Related Weaknesses (CWE)
References
- https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-expeExploitThird Party Advisory
- https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667Vendor Advisory
FAQ
What is CVE-2025-34509?
CVE-2025-34509 is a vulnerability with a CVSS score of 7.5 (HIGH). Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain ...
How severe is CVE-2025-34509?
CVE-2025-34509 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-34509?
Check the references section above for vendor advisories and patch information. Affected products include: Sitecore Experience Commerce, Sitecore Experience Manager, Sitecore Experience Platform, Sitecore Managed Cloud.