Sitecore Zip Slip: When 'b' Stands for Backdoor and RCE
Vulnerability ID: CVE-2025-34510
CVSS Score: 8.8
Published: 2025-06-17
A critical Zip Slip vulnerability in Sitecore Experience Platform allows for Remote Code Execution. When chained with a ridiculous hardcoded credential vulnerability (CVE-2025-34509), this becomes a trivial pre-authentication RCE chain affecting enterprise-grade CMS installations worldwide.
TL;DR
Sitecore contains a classic Zip Slip vulnerability in its file upload logic. By uploading a malicious ZIP file, an attacker can overwrite files anywhere on the system. Worse, a hardcoded account (sitecore\ServicesAPI : b) allows unauthenticated attackers to log in and exploit this, granting full System/IIS access.
⚠️ Exploit Status: WEAPONIZED
Technical Details
- CVSS: 8.8 (High)
- Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE: CWE-23 (Relative Path Traversal)
- EPSS Score: 0.808 (High)
- Attack Vector: Network (Authenticated via Bypass)
- Exploit Status: PoC Available / Weaponized
Affected Systems
- Sitecore Experience Platform (XP) 9.0 - 10.4
- Sitecore Experience Manager (XM) 9.0 - 10.4
- Sitecore Experience Commerce (XC) 9.0 - 10.4
-
Sitecore Experience Platform: 9.0 - 10.4 (Fixed in:
Hotfix KB1003667)
Exploit Details
- watchTowr Labs: Original research detailing the auth bypass and Zip Slip chain.
Mitigation Strategies
- Input Validation
- Path Canonicalization
- Principle of Least Privilege
- Network Segmentation
Remediation Steps:
- Download the cumulative hotpatch from Sitecore KB1003667.
- Deploy the patch to all Content Management (CM) and Standalone instances.
- Verify the removal or password rotation of the
sitecore\ServicesAPIaccount. - Restrict access to
/sitecore/adminand/sitecore/shellvia IP allowlisting.
References
Read the full report for CVE-2025-34510 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)