CVE-2025-34510
BaseFortify
Publication date: 2025-06-17
Last updated on: 2025-09-08
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sitecore | experience_commerce | From 9.0 (inc) to 10.4 (inc) |
| sitecore | experience_manager | From 9.0 (inc) to 10.4 (inc) |
| sitecore | experience_platform | From 9.0 (inc) to 10.4 (exc) |
| sitecore | experience_platform | 10.4 |
| sitecore | managed_cloud | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Zip Slip issue in Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4. A remote, authenticated attacker can send a specially crafted HTTP request containing a ZIP archive with path traversal sequences. This allows the attacker to write arbitrary files on the server, which can lead to remote code execution.
How can this vulnerability impact me? :
An attacker who is authenticated can exploit this vulnerability to write arbitrary files on the server by uploading a crafted ZIP archive. This can lead to remote code execution, allowing the attacker to run malicious code on the affected system. The CVSS score of 8.8 indicates a high severity with impacts on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to authenticate using the known hardcoded credentials for the internal user 'sitecore\ServicesAPI' with the password 'b' against the Sitecore admin site endpoint (/sitecore/admin). Successful authentication and receipt of a valid ASP.NET session cookie (.AspNet.Cookies) indicates the presence of the vulnerability. Additionally, monitoring HTTP requests for uploads of ZIP archives containing path traversal sequences could help detect exploitation attempts. Specific commands are not provided in the resources, but testing authentication with the known credentials and inspecting HTTP traffic for suspicious ZIP uploads are recommended detection methods. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include auditing and changing default internal user credentials, especially the 'sitecore\ServicesAPI' user which has a known default password 'b'. Restrict access to the /sitecore/admin endpoint to trusted users only, and monitor or block uploads of ZIP archives that contain path traversal sequences. Applying any available patches from Sitecore addressing this vulnerability is also critical. Additionally, reviewing and tightening permissions and authentication checks related to the 'admin' site and the handling of ZIP archive uploads can reduce risk. [1]