AIKIDO-2025-10397
Sitecore.Client is vulnerable to Zip Slip
100
Critical Risk
This Affects:
Sitecore.ClientTL;DR
Security researchers discovered a critical vulnerability chain (CVE-2025-34509, CVE-2025-34510, CVE-2025-34511) in Sitecore Experience Platform (XP) that can lead to pre-authenticated remote code execution. The issue stems from the use of a hard-coded password for the default sitecore\ServicesAPI user, which allows attackers to authenticate and interact with exposed administrative endpoints. Once authenticated, an attacker can upload a specially crafted ZIP file to trigger a path traversal vulnerability, ultimately placing a web shell in the server’s webroot. Additionally, a flaw in the Sitecore PowerShell Extensions permits unrestricted file uploads, enabling further code execution. These vulnerabilities affect installations starting from version 10.1, provided the default installer was used. While upgrades from earlier versions may be less exposed, the potential for exploitation remains high. Due to the widespread use of Sitecore in critical sectors like finance and aviation, users are urged to rotate credentials and apply security patches immediately.
Who does this affect?
You are affected if you are use any vulnerable version of any Sitecore package.
Background info
Sitecore.Client is vulnerable to Zip Slip in versions 9.0.0 - 10.4.0.
How to fix this
Upgrade Sitecore.Client to the patch version.
Links
thehackernews.com/2025/06/hard-coded-b-password-in-sitecore-xp.htmllabs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant