- AI-Ready Infrastructure: A New Era of Data Center Design
- UK ICO Fines 23andMe £2.3m for Data Protection Failings
- Amazon Prime Day returns July 8-11: Here's what's new (and what to know)
- I tested Hisense's flagship QLED TV and didn't miss my OLED set (especially when it's $700 off)
- Next-gen AI chips will draw 15,000W each, redefining power, cooling, and data center design
Chained Flaws in Enterprise CMS Provider Sitecore Could Allow RCE
Vulnerability research firm WatchTowr has detected seven vulnerabilities in Sitecore, a popular content management system (CMS) provider used by HSBC, United Airlines, P&G and L’Oréal.
In its first report, published on June 17, WatchTowr shared findings about three vulnerabilities that could allow an unauthenticated attacker to perform a complete remote code execution (RCE) on the Sitecore Experience Platform version 10.4.1.
The report highlighted the extent of access that a simple password enables and how chaining it with two post-authentication RCE vulnerabilities allows bad actors to establish a complete pre-authentication RCE chain.
One-Letter Password By Default
WatchTowr detected the vulnerabilities on February 28, 2025, notified Sitecore and then searched through client attack surfaces for impacted systems and communicated with those affected.
The firm has identified at least 22,000 exposed instances, but estimates that the actual number is significantly higher.
Speaking to Infosecurity, Benjamin Harris, CEO and Founder of WatchTowr, explained how his team found the flaws: “By default, recent versions of Sitecore shipped to users that had a hardcoded password of ‘b’. It’s 2025, and we can’t believe we still have to say this, but that’s very bad. WatchTowr chained this with two post-auth RCEs to achieve full pre-auth RCE on the latest versions of Sitecore (patched only after our disclosure).”
The three vulnerabilities are tracked by WatchTowr as follows:
- WT-2025-0024: Hardcoded Credentials
- WT-2025-0032: Post-Auth RCE (Via Path Traversal)
- WT-2025-0025: Post-Auth RCE (Via Sitecore PowerShell Extension)
They haven’t yet been attributed CVE identifiers, but WatchTowr believes Sitecore will assign CVE identifiers on June 17.
The flaws were patched in Sitecore Experience Platform’s latest version on May 11.
On May 29, WatchTowr and Sitecore agreed to hold off with the public disclosure until June 17.
No CVE records have been publicly disclosed at the time of writing.
A Popular CMS Provider for Large Enterprises
Harris emphasized that the Sitecore CMS is deployed across thousands of environments, including banks, airlines and global enterprises, suggesting that if exploited, these chained vulnerabilities could have a significant impact on Sitecore customers.
“And no, this isn’t theoretical: we’ve run the full chain, end-to-end. If you’re running Sitecore, it doesn’t get worse than this – rotate credentials and patch immediately before attackers inevitably reverse engineer the fix,” Harris concluded.
WatchTowr said it will disclose four additional vulnerabilities in Sitecore’s products in an upcoming report.
