Vulnerability research firm WatchTowr has detected seven vulnerabilities in Sitecore, a popular content management system (CMS) provider used by HSBC, United Airlines, P&G and L’Oréal.
In its first report, published on June 17, WatchTowr shared findings about three vulnerabilities that could allow an unauthenticated attacker to perform a complete remote code execution (RCE) on the Sitecore Experience Platform version 10.4.1.
The report highlighted the extent of access that a simple password enables and how chaining it with two post-authentication RCE vulnerabilities allows bad actors to establish a complete pre-authentication RCE chain.
One-Letter Password By Default
WatchTowr detected the vulnerabilities on February 28, 2025, notified Sitecore and then searched through client attack surfaces for impacted systems and communicated with those affected.
The firm has identified at least 22,000 exposed instances, but estimates that the actual number is significantly higher.
Speaking to Infosecurity, Benjamin Harris, CEO and Founder of WatchTowr, explained how his team found the flaws: “By default, recent versions of Sitecore shipped to users that had a hardcoded password of ‘b’. It’s 2025, and we can’t believe we still have to say this, but that’s very bad. WatchTowr chained this with two post-auth RCEs to achieve full pre-auth RCE on the latest versions of Sitecore (patched only after our disclosure).”
The three vulnerabilities are tracked by WatchTowr as follows:
- WT-2025-0024: Hardcoded Credentials
- WT-2025-0032: Post-Auth RCE (Via Path Traversal)
- WT-2025-0025: Post-Auth RCE (Via Sitecore PowerShell Extension)
They haven’t yet been attributed CVE identifiers, but WatchTowr believes Sitecore will assign CVE identifiers on June 17.
The flaws were patched in Sitecore Experience Platform’s latest version on May 11. The software provider published a security advisory on June 16 with details of patches and steps to remediate.
On May 29, WatchTowr and Sitecore agreed to hold off with the public disclosure until June 17.
No CVE records have been publicly disclosed at the time of writing.
A Popular CMS Provider for Large Enterprises
Harris emphasized that the Sitecore CMS is deployed across thousands of environments, including banks, airlines and global enterprises, suggesting that if exploited, these chained vulnerabilities could have a significant impact on Sitecore customers.
“And no, this isn’t theoretical: we’ve run the full chain, end-to-end. If you’re running Sitecore, it doesn’t get worse than this - rotate credentials and patch immediately before attackers inevitably reverse engineer the fix,” Harris concluded.
WatchTowr said it will disclose four additional vulnerabilities in Sitecore’s products in an upcoming report.
Update: CVEs Assigned
Speaking to Infosecurity, Sitecore confirmed on June 18 that the three vulnerabilities have been assigned CVE identifiers by VulnCheck:
- WT-2025-0024 - Hardcoded Credentials: CVE-2025-34509
- WT-2025-0032 - Post-Auth RCE (Via Path Traversal): CVE-2025-34510
- WT-2025-0025 - Post-Auth RCE (Via Sitecore PowerShell Extension): CVE-2025-34511
"Our customer support teams have proactively communicated these updates to our affected clients. All impacted SaaS products have been remediated, and we strongly advise in-scope on-premises customers to promptly apply the provided patches," a Sitecore spokesperson told Infosecurity.
This article was updated on June 19 to mention Sitecore's security advisory and add the CVE identifiers for the three vulnerabilities.
No tags.
