{"id":31237,"date":"2025-08-29T17:56:08","date_gmt":"2025-08-29T17:56:08","guid":{"rendered":"https:\/\/www.europesays.com\/ie\/31237\/"},"modified":"2025-08-29T17:56:08","modified_gmt":"2025-08-29T17:56:08","slug":"researchers-warn-of-sitecore-exploit-chain-linking-cache-poisoning-and-remote-code-execution","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/ie\/31237\/","title":{"rendered":"Researchers Warn of Sitecore Exploit Chain Linking Cache Poisoning and Remote Code Execution"},"content":{"rendered":"<p>\ue802Aug 29, 2025\ue804Ravie LakshmananVulnerability \/ Web Security<\/p>\n<p><a href=\"https:\/\/www.europesays.com\/ie\/wp-content\/uploads\/2025\/08\/sitecore.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/www.europesays.com\/ie\/wp-content\/uploads\/2025\/08\/sitecore.jpg\" alt=\"\" border=\"0\" data-original-height=\"380\" data-original-width=\"728\"\/><\/a><\/p>\n<p>Three new security vulnerabilities have been disclosed in the Sitecore Experience Platform that could be exploited to achieve information disclosure and remote code execution. <\/p>\n<p>The flaws, <a href=\"https:\/\/labs.watchtowr.com\/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce\/\" rel=\"noopener nofollow\" target=\"_blank\">per watchTowr Labs<\/a>, are listed below &#8211;<\/p>\n<ul>\n<li><strong>CVE-2025-53693<\/strong> &#8211; HTML cache poisoning through unsafe reflections<\/li>\n<li><strong>CVE-2025-53691<\/strong> &#8211; Remote code execution (RCE) through insecure deserialization<\/li>\n<li><strong>CVE-2025-53694<\/strong> &#8211; Information Disclosure in ItemService API with a restricted anonymous user, leading to exposure of cache keys using a brute-force approach<\/li>\n<\/ul>\n<p>Patches for the first two shortcomings were released by Sitecore in <a href=\"https:\/\/support.sitecore.com\/kb?id=kb_article_view&amp;sysparm_article=KB1003667\" rel=\"noopener nofollow\" target=\"_blank\">June<\/a> and for the third in <a href=\"https:\/\/support.sitecore.com\/kb?id=kb_article_view&amp;sysparm_article=KB1003734\" rel=\"noopener nofollow\" target=\"_blank\">July 2025<\/a>, with the company stating that &#8220;successful exploitation of the related vulnerabilities might lead to remote code execution and non-authorized access to information.&#8221;<\/p>\n<p><a href=\"https:\/\/thehackernews.uk\/you-dont-know\" rel=\"nofollow noopener sponsored\" target=\"_blank\" title=\"Identity Security Risk Assessment\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Identity Security Risk Assessment\" src=\"https:\/\/www.europesays.com\/ie\/wp-content\/uploads\/2025\/08\/you-dont-know-d.jpg\" width=\"728\" height=\"91\"\/><\/a><\/p>\n<p>The findings build on three more flaws in the same product that were <a href=\"https:\/\/thehackernews.com\/2025\/06\/hard-coded-b-password-in-sitecore-xp.html\" rel=\"noopener nofollow\" target=\"_blank\">detailed<\/a> by watchTowr back in June &#8211;<\/p>\n<ul>\n<li><strong>CVE-2025-34509<\/strong> (CVSS score: 8.2) &#8211; Use of hard-coded credentials<\/li>\n<li><strong>CVE-2025-34510<\/strong> (CVSS score: 8.8) &#8211; Post-authenticated remote code execution via path traversal<\/li>\n<li><strong>CVE-2025-34511<\/strong> (CVSS score: 8.8) &#8211; Post-authenticated remote code execution via Sitecore PowerShell Extension<\/li>\n<\/ul>\n<p>watchTowr Labs researcher Piotr Bazydlo said the newly uncovered bugs could be fashioned into an exploit chain by bringing together the pre-auth HTML cache poisoning vulnerability with a post-authenticated remote code execution issue to compromise a fully-patched Sitecore Experience Platform instance.<\/p>\n<p>The entire sequence of events leading up to code execution is as follows: A threat actor could leverage the ItemService API, if exposed, to trivially enumerate HTML cache keys stored in the Sitecore cache and send HTTP cache poisoning requests to those keys.<\/p>\n<p>This could then be chained with CVE-2025-53691 to supply malicious HTML code that ultimately results in code execution by means of an unrestricted <a href=\"https:\/\/thehackernews.com\/2024\/11\/new-flaws-in-citrix-virtual-apps-enable.html\" rel=\"noopener nofollow\" target=\"_blank\">BinaryFormatter<\/a> call.<\/p>\n<p>&#8220;We managed to abuse a very restricted reflection path to call a method that lets us poison any HTML cache key,&#8221; Bazydlo said. &#8220;That single primitive opened the door to hijacking Sitecore Experience Platform pages &#8211; and from there, dropping arbitrary JavaScript to trigger a Post-Auth RCE vulnerability.&#8221;<\/p>\n","protected":false},"excerpt":{"rendered":"\ue802Aug 29, 2025\ue804Ravie LakshmananVulnerability \/ Web Security Three new security vulnerabilities have been disclosed in the Sitecore Experience&hellip;\n","protected":false},"author":2,"featured_media":31238,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[74],"tags":[21715,21710,21703,21702,21704,21705,21706,3600,18,21707,21708,21712,19,21713,17,11951,21711,21709,82,21714],"class_list":{"0":"post-31237","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-computer-security","9":"tag-cyber-attacks","10":"tag-cyber-news","11":"tag-cyber-security-news","12":"tag-cyber-security-news-today","13":"tag-cyber-security-updates","14":"tag-cyber-updates","15":"tag-data-breach","16":"tag-eire","17":"tag-hacker-news","18":"tag-hacking-news","19":"tag-how-to-hack","20":"tag-ie","21":"tag-information-security","22":"tag-ireland","23":"tag-network-security","24":"tag-ransomware-malware","25":"tag-software-vulnerability","26":"tag-technology","27":"tag-the-hacker-news"},"share_on_mastodon":{"url":"","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/posts\/31237","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/comments?post=31237"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/posts\/31237\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/media\/31238"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/media?parent=31237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/categories?post=31237"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/tags?post=31237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}