← back
CVE-2019-9875

CVE-2019-9875

CVSS 8.8 HIGHEPSS 14.2%● KEVCWE-502
Vexday Risk Score
56Attention
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 8.8EPSS 14.2%KEV simPoC Nuclei Metasploit Patch
Lifecycle
31 May 2019Published on NVD
26 Mar 2025Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

A flaw in Sitecore's CSRF protection allows an authenticated attacker to execute arbitrary code by sending specially crafted serialized data. This happens because the system deserializes untrusted data without proper validation.

Technical detail

CWE-502 unsafe deserialization in Sitecore's anti-CSRF module permits code execution via malicious serialized .NET objects in POST parameters. Attack requires prior authentication and exploits the absence of integrity checks on deserialized payloads, leading to arbitrary code execution on the server.

Summary generated and translated by AI from the official description.
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://dev.sitecore.net/Downloads.aspxhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9875https://www.synacktiv.com/blog.htmlhttps://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf