DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-34511: Sitecore SPE: When 'b' Equals Pwned - Analyzing CVE-2025-34511

#security #cve #cybersecurity

Sitecore SPE: When 'b' Equals Pwned - Analyzing CVE-2025-34511

Vulnerability ID: CVE-2025-34511
CVSS Score: 8.8
Published: 2025-06-17

A critical unrestricted file upload vulnerability in Sitecore PowerShell Extensions (SPE) allows authenticated attackers to upload executable ASPX files, leading to Remote Code Execution (RCE). While technically requiring authentication, this flaw is frequently chained with CVE-2025-34509—a hardcoded credential vulnerability where the 'ServiceAPI' account password is the single letter 'b'—turning this into a trivial, pre-auth RCE chain.

TL;DR

Sitecore PowerShell Extensions contains an unrestricted file upload flaw in PowerShellUploadFile2.aspx. Combined with hardcoded credentials (user: sitecore\ServicesAPI, pass: b), attackers can upload ASPX webshells and gain full system control.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • CWE ID: CWE-434
  • Attack Vector: Network
  • CVSS v3.1: 8.8 (High)
  • EPSS Score: 0.78652 (78.65%)
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: Weaponized (Metasploit Available)

Affected Systems

  • Sitecore Experience Manager (XM) 10.0 - 10.4
  • Sitecore Experience Platform (XP) 10.0 - 10.4
  • Sitecore Experience Commerce (XC) 9.0 - 10.4
  • Sitecore PowerShell Extensions (SPE) < 7.1
  • Sitecore PowerShell Extensions: <= 7.0 (Fixed in: 7.1)

Exploit Details

  • Metasploit: Ruby module that exploits the authentication bypass and file upload to achieve RCE.
  • watchTowr Labs: Original research detailing the vulnerability chain.

Mitigation Strategies

  • Upgrade Software
  • Credential Rotation
  • Network Segmentation
  • Input Validation

Remediation Steps:

  1. Upgrade Sitecore PowerShell Extensions (SPE) to version 7.1 or higher.
  2. Change the password for 'sitecore\ServicesAPI' and 'sitecore\PowerShellExtensionsAPI' accounts immediately.
  3. Configure IIS to block external access to '/sitecore modules' and '/sitecore/admin' paths.
  4. Review 'web.config' to ensure 'CheckPermissions' processor is enabled for uploads.

References

Read the full report for CVE-2025-34511 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)