CVE-2025-34509

Sitecore XM and XP Hardcoded Credentials

CVSS 7.5 HIGHEPSS 38.4%CWE-798

In short

Sitecore XM and XP contain a hardcoded username and password built into the software. An attacker can use this account to remotely access administrative features without needing legitimate credentials, potentially compromising the entire website.

Technical detail

Sitecore XM and XP versions 10.1–10.4.1 contain hardcoded credentials (CWE-798) embedded in the application. Unauthenticated remote attackers can leverage these credentials to authenticate to administrative APIs exposed over HTTP, bypassing authentication controls and gaining unauthorized administrative access.

Summary generated and translated by AI from the official description.

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Sitecore · Experience Manager Sitecore · Experience Platform

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667