← back
CVE-2025-27218

CVE-2025-27218

CVSS 5.3 MEDIUMEPSS 63.6%CWE-94
Vexday Risk Score
60Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 5.3EPSS 63.6%KEV nãoPoC públicaNuclei simMetasploit simPatch
Lifecycle
06 Jan 2025Metasploit module available
20 Feb 2025Published on NVD
26 Jun 2025Public PoC
Recommendation: Plan a near-term fix — a public PoC already exists.
Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
n/a · n/a
public PoCs found1
exploitdbwww.exploit-db.com/exploits/52344unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003535