Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manager (XM) and Experience Platform (XP), through version 7.0 is vulnerable to an unrestricted file upload issue. A remote, authenticated attacker can upload arbitrary files to the server using crafted HTTP requests, resulting in remote code execution.
References
| Link | Resource |
|---|---|
| https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/ | Exploit Third Party Advisory |
| https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
08 Sep 2025, 19:10
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:* cpe:2.3:a:sitecore:experience_manager:*:*:*:*:*:*:*:* cpe:2.3:a:sitecore:managed_cloud:-:*:*:*:*:*:*:* cpe:2.3:a:sitecore:experience_platform:10.4:-:*:*:*:*:*:* cpe:2.3:a:sitecore:experience_commerce:*:*:*:*:*:*:*:* |
|
| First Time |
Sitecore experience Platform
Sitecore managed Cloud Sitecore Sitecore experience Manager Sitecore experience Commerce |
|
| References | () https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/ - Exploit, Third Party Advisory | |
| References | () https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667 - Vendor Advisory |
22 Jul 2025, 14:15
| Type | Values Removed | Values Added |
|---|---|---|
| Summary |
|
|
| References |
|
17 Jun 2025, 19:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-06-17 19:15
Updated : 2025-09-08 19:10
NVD link : CVE-2025-34511
Mitre link : CVE-2025-34511
CVE.ORG link : CVE-2025-34511
JSON object : View
Products Affected
sitecore
- experience_platform
- experience_manager
- experience_commerce
- managed_cloud
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type