CVE-2025-34509

Sitecore Experience Platform Hardcoded Credentials Vulnerability

CVE-2025-34509 is a hardcoded credential vulnerability affecting the Sitecore Experience Platform. This vulnerability, discovered by WatchTowr, affects Sitecore Experience Platform versions 10.1, 10.2, 10.3, and 10.4. It is due to the sitecore\ServicesAPI user having a hardcoded password, “b”, stemming from DACPAC files used in the product installer to create the database.

Exploitation allows remote attackers to bypass security controls by logging in with the sitecore\ServicesAPI user, even though it has no assigned roles. This is achieved by targeting the /sitecore/admin endpoint, which bypasses a database check that would normally prevent authentication if the database is “core.” Successful authentication grants a valid .AspNet.Cookies session cookie, enabling an attacker to bypass IIS authorization rules and access directories normally protected from unauthenticated users (e.g., /sitecore/shell, /sitecore/admin, App_Config). This significantly expands the application’s attack surface and can allow for the retrieval of sensitive information, such as available API endpoints.

When chained with CVE-2025-34510 or CVE-2025-34511, it can lead to remote code execution and full compromise of the system.

Impact

Successful exploitation of this vulnerability can lead to:

  • Unauthorized access to sensitive user information.
  • Increased attack surface, opening up possibilities for further post-authentication vulnerabilities.
  • Remote code execution and full compromise of the system when chained with CVE-2025-34510 or CVE-2025-34511.
  • Widespread vulnerability across Sitecore instances that used affected installers, as the hardcoded password is not unique or changed during installation.

Mitigations

  • It is strongly recommended to refer to the vendor advisory from Sitecore and apply available patches. Patches were made available by Sitecore as of June 17, 2025, allowing customers to deploy them. While Sitecore’s guidance states that default user accounts should not be changed, applying vendor-provided patches is the primary method of mitigation. Users who upgraded from older Sitecore installations (e.g., 9.1) and migrated their existing database may not be affected.

Rapid Response N-Day Testing

Run the Test Now



🔗 CVE-2025-34509 | NIST Detail

🔗 Is b For Backdoor? | Watchtwr Blog

Read about other CVEs

CVE-2024-23108

Fortinet FortiSIEM 2nd Order Command Injection

Read More

CVE-2023-43208

NextGen Mirth Connect Pre-Auth RCE

Read More

CVE-2023-34992

Fortinet FortiSIEM Command Injection

Read More

NodeZero® Platform

Implement a continuous find, fix, and verify loop with NodeZero

The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Explore NodeZero

Recognized By