Tech News

Researchers Warn of Sitecore Exploit Chain Linking Cache Poisoning and Remote Code Execution

By Viral Trending Content 3 Min Read

Aug 29, 2025Ravie LakshmananVulnerability / Web Security

Three new security vulnerabilities have been disclosed in the Sitecore Experience Platform that could be exploited to achieve information disclosure and remote code execution.

The flaws, per watchTowr Labs, are listed below –

  • CVE-2025-53693 – HTML cache poisoning through unsafe reflections
  • CVE-2025-53691 – Remote code execution (RCE) through insecure deserialization
  • CVE-2025-53694 – Information Disclosure in ItemService API with a restricted anonymous user, leading to exposure of cache keys using a brute-force approach

Patches for the first two shortcomings were released by Sitecore in June and for the third in July 2025, with the company stating that “successful exploitation of the related vulnerabilities might lead to remote code execution and non-authorized access to information.”

Identity Security Risk Assessment

The findings build on three more flaws in the same product that were detailed by watchTowr back in June –

  • CVE-2025-34509 (CVSS score: 8.2) – Use of hard-coded credentials
  • CVE-2025-34510 (CVSS score: 8.8) – Post-authenticated remote code execution via path traversal
  • CVE-2025-34511 (CVSS score: 8.8) – Post-authenticated remote code execution via Sitecore PowerShell Extension

watchTowr Labs researcher Piotr Bazydlo said the newly uncovered bugs could be fashioned into an exploit chain by bringing together the pre-auth HTML cache poisoning vulnerability with a post-authenticated remote code execution issue to compromise a fully-patched Sitecore Experience Platform instance.

The entire sequence of events leading up to code execution is as follows: A threat actor could leverage the ItemService API, if exposed, to trivially enumerate HTML cache keys stored in the Sitecore cache and send HTTP cache poisoning requests to those keys.

This could then be chained with CVE-2025-53691 to supply malicious HTML code that ultimately results in code execution by means of an unrestricted BinaryFormatter call.

“We managed to abuse a very restricted reflection path to call a method that lets us poison any HTML cache key,” Bazydlo said. “That single primitive opened the door to hijacking Sitecore Experience Platform pages – and from there, dropping arbitrary JavaScript to trigger a Post-Auth RCE vulnerability.”

You Might Also Like

Gemini 3 Pro Review, 7 Real-World AI Use Cases Tested to Push Its Limits

D-Link warns of new RCE flaws in end-of-life DIR-878 routers

Top tips from a senior engineering manager

ShadowRay 2.0 Exploits Unpatched Ray Flaw to Build Self-Spreading GPU Cryptomining Botnet

Samsung Galaxy A36 Black Friday Deal Saves You £150

TAGGED: , , , , , ,
Share This Article
Previous Article South Korea cracks down on crypto scam after BTS star Jungkook hit in 39 billion hack
Next Article Oppo Reno 13 Pro Review: Photo-Snapping Mid-Ranger That Excels
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

- Advertisement -

Latest News

Who Is Mckenna Grace? 5 Things About the ‘Sunrise on the Reaping’ Actress
Celebrity
Zoopunk is a New Action Game by the Studio Behind F.I.S.T.: Forged in Shadow Torch
Gaming News
Golden Joystick Awards 2025 winners announced, with Clair Obscur getting GOTY
Gaming News
Intrinsic, an Alphabet company, and Nvidia supplier Foxconn will join forces to deploy AI robots in the latter’s U.S. factories
Business
Mamdani Says He Will Work With Anyone to Benefit New Yorkers Ahead of Meeting With Trump
Politics
Gemini 3 Pro Review, 7 Real-World AI Use Cases Tested to Push Its Limits
Tech News
D-Link warns of new RCE flaws in end-of-life DIR-878 routers
Tech News
Lost your password?