DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-53693: Cache Me Outside: Sitecore Unsafe Reflection to RCE (CVE-2025-53693)

#security #cve #cybersecurity

Cache Me Outside: Sitecore Unsafe Reflection to RCE (CVE-2025-53693)

Vulnerability ID: CVE-2025-53693
CVSS Score: 9.8
Published: 2025-09-03

A critical Unsafe Reflection vulnerability in Sitecore Experience Platform's XAML handler allows unauthenticated attackers to invoke arbitrary methods on server-side controls. By leveraging the AddToCache method within the AjaxScriptManager, attackers can poison the application's HTML cache, persistently injecting malicious JavaScript. This effectively turns the CMS into a watering hole, leading to Administrator account compromise and subsequent Remote Code Execution (RCE).

TL;DR

Unauthenticated attackers can abuse the /-/xaml/ endpoint to invoke the protected AddToCache method via reflection. This allows them to inject arbitrary HTML/JS into the server-side cache for any page, leading to stored XSS and eventual RCE.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-470
  • Attack Vector: Network (Unauthenticated)
  • CVSS Score: 9.8 (Critical)
  • Impact: RCE / Stored XSS
  • Vulnerable Component: AjaxScriptManager
  • Method: Unsafe Reflection

Affected Systems

  • Sitecore Experience Platform (XP) 9.0 - 9.3
  • Sitecore Experience Platform (XP) 10.0 - 10.4
  • Sitecore Experience Manager (XM) 9.0 - 9.3
  • Sitecore Experience Manager (XM) 10.0 - 10.4
  • Sitecore Experience Platform: 9.0 - 9.3 (Fixed in: Hotfix KB1003667)
  • Sitecore Experience Platform: 10.0 - 10.4 (Fixed in: Hotfix KB1003667)

Exploit Details

  • watchTowr Labs: Original research and PoC for Cache Poisoning via AjaxScriptManager

Mitigation Strategies

  • Input Validation
  • Method Whitelisting
  • WAF Filtering
  • Network Segmentation

Remediation Steps:

  1. Apply the Sitecore security hotfix KB1003667 immediately.
  2. Configure WAF to block requests to /-/xaml/ containing AddToCache.
  3. Disable the Sitecore.Web.UI.WebControls.AjaxScriptManager if not strictly required for CD servers.
  4. Flush the HTML cache (/sitecore/admin/cache.aspx) to remove any potential poisoned entries.

References

Read the full report for CVE-2025-53693 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)