CVE-2025-34138
BaseFortify
Publication date: 2025-07-25
Last updated on: 2025-12-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sitecore | sitecore_xp | 10.4 |
| sitecore | managed_cloud | 9.2 |
| sitecore | managed_cloud | 10.4 |
| sitecore | sitecore_xp | 9.2 |
| sitecore | sitecore_xm | 10.4 |
| sitecore | sitecore_xm | 9.2 |
| sitecore | sitecore_xc | 9.2 |
| sitecore | sitecore_xc | 10.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-34138 is a critical remote code execution vulnerability in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud versions from 9.2 Initial Release through 10.4 Initial Release, including PaaS and containerized solutions. It allows an attacker to remotely execute code or gain unauthorized access to information without any authentication or user interaction. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including remote code execution by attackers, leading to unauthorized access to sensitive information, potential data breaches, and disruption of service availability. Because it requires no authentication or user interaction, it poses a high risk to affected systems. [1]