CVE-2025-34509: The 'b' Key to the Kingdom: Sitecore Hardcoded Credentials

#security #cve #cybersecurity

The 'b' Key to the Kingdom: Sitecore Hardcoded Credentials

Vulnerability ID: CVE-2025-34509
CVSS Score: 7.5
Published: 2025-06-17

A critical lapse in database seeding practices left a default user account enabled in Sitecore Experience Manager and Experience Platform versions 10.1 through 10.4. The account, 'sitecore\ServicesAPI', was configured with the single-character password 'b'. While this user lacks administrative privileges, the valid session it generates allows attackers to bypass IIS-level authentication checks, serving as the necessary precursor for critical Remote Code Execution chains.

TL;DR

Sitecore shipped a database snapshot with a hardcoded user 'sitecore\ServicesAPI' having the password 'b'. Attackers can use this to get a valid session cookie, bypassing 'web.config' restrictions and opening the door to RCE vulnerabilities like CVE-2025-34510.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-798
Attack Vector: Network
CVSS Score: 7.5 (High)
EPSS Score: 23.18%
Exploit Status: PoC Available
Likelihood: High

Affected Systems

Sitecore Experience Manager (XM)
Sitecore Experience Platform (XP)
Sitecore XM/XP: 10.1.0 - 10.1.3 (Fixed in: 10.1.4)
Sitecore XM/XP: 10.2.x (Fixed in: See Vendor Advisory)
Sitecore XM/XP: 10.3.0 - 10.3.2 (Fixed in: 10.3.3)
Sitecore XM/XP: 10.4.0 (Fixed in: 10.4.1)

Exploit Details

Nuclei: Nuclei template to check for successful login with 'b' password.

Mitigation Strategies

Credential Rotation
Network Segmentation
WAF Rule Deployment

Remediation Steps:

Log in to Sitecore User Manager as an Administrator.
Locate the user 'sitecore\ServicesAPI'.
Change the password to a cryptographically secure value.
Alternatively, disable the account if confirmed unused by custom implementations.
Apply Sitecore cumulative hotfix KB1003667.