Security Vulnerabilities in Sitecore Experience Platform Expose Enterprise Systems to Attack

Security researchers have uncovered a critical pre-authentication Remote Code Execution (RCE) chain in Sitecore Experience Platform (XP), a widely used enterprise content management system.

The vulnerability chain, reported in February 2025, exploits a series of flaws, most notably hardcoded credentials for an internal API user, leading to potentially catastrophic consequences for organizations running vulnerable Sitecore versions.

The investigation revealed that Sitecore XP versions 10.1 through 10.4 ship with a sitecore\ServicesAPI user whose password is hardcoded as a single letter: b.

This credential is embedded in the product’s installation database and remains unchanged across all deployments, making it trivial for attackers to gain authenticated access.

The password hash is stored in the dbo.aspnet_Membership table using a format akin to:

textbase64encode(sha1(base64decode(salt) + utf-16-le-encode(password)))

Despite the user having no explicit administrative roles, attackers can leverage Sitecore’s authentication mechanisms to generate a valid session cookie, bypassing standard permission checks and gaining access to restricted parts of the application.

Chaining to RCE:

Once authenticated as the ServicesAPI user, attackers can exploit two major post-authentication vulnerabilities to achieve RCE:

• WT-2025-0032 (CVE-2025-XXXXX): Zip Slip in UploadPage
  • The /sitecore/shell/Applications/Dialogs/Upload/Upload2.aspx The endpoint allows authenticated users to upload files.
  • By carefully crafting a ZIP file containing files with path traversal sequences (e.g., /\/../webshell.aspx), attackers can exploit improper validation in the SaveUnpackedFiles method, writing arbitrary files to the webroot—even without knowing the exact filesystem path.
  • This is a classic Zip Slip vulnerability, enabling the deployment of webshells or other malicious payloads.
• WT-2025-0025 (CVE-2025-XXXXX): Unrestricted Upload in PowerShell Extensions
  • If the popular Sitecore PowerShell Extension is installed, attackers can use the /sitecore modules/Shell/PowerShell/UploadFile/PowerShellUploadFile2.aspx endpoint to upload files with any extension to any location, provided the IIS user has write permissions.
  • This occurs because the upload handler does not restrict file types or paths, and all relevant arguments are attacker-controlled.

Sample Exploit HTTP Request:

textPOST /sitecore modules/Shell/PowerShell/UploadFile/PowerShellUploadFile2.aspx?hdl=1245516121 HTTP/2
Host: target.sitecore.instance
Cookie: .AspNet.Cookies=ServicesAPI-user-cookie
Content-Type: multipart/form-data; boundary=----Boundary
...
------Boundary
Content-Disposition: form-data; name="watchTowr"; filename="poc.aspx"
Content-Type: text/plain

<webshell code>
------Boundary--

Timeline, Impact, and Risk Assessment

The vulnerabilities were responsibly disclosed to Sitecore, with patches released in version 10.4.1.

However, due to the prevalence of default credentials and the risk of organizations not applying patches promptly, thousands of publicly exposed Sitecore instances remain at risk.

Risk Factor Table

This research exposes a severe security lapse in an enterprise-grade CMS, highlighting the dangers of hardcoded credentials and insufficient validation in file upload mechanisms.

Organizations using Sitecore XP versions 10.1–10.4 should immediately update to the latest patched version and review internal user credentials.

The risk of mass compromise is significant, especially given the ease of exploitation and the number of exposed instances.

As the security community continues to scrutinize enterprise software, this incident serves as a stark reminder: even mature platforms can harbor simple yet devastating vulnerabilities if secure coding and deployment practices are not rigorously enforced.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates