Critical Vulnerabilities in Sitecore Experience Platform Put Thousands of Enterprise Systems at Risk

A critical vulnerability chain in Sitecore Experience Platform that allows attackers to gain complete control of enterprise systems without authentication.

The Vulnerabilities affect versions 10.1 through 10.4 of the popular content management system, potentially exposing over 22,000 instances currently accessible online.

The investigation began when researchers discovered that Sitecore installations contain hardcoded user credentials, with one internal account having a password set to just the single letter “b”.

The affected account, “sitecore\ServicesAPI,” uses this trivial password across all installations of vulnerable versions, representing what security experts describe as an inexcusable security practice for enterprise software.

The hardcoded credentials originated from Sitecore’s installation process, where pre-configured database files automatically create these weak passwords during deployment.

Analysis of multiple Sitecore versions revealed that while earlier releases used stronger passwords for internal accounts, something went wrong during the build process for version 10.1, introducing the single-character password that persisted through subsequent releases.

Researchers noted the particular significance of the letter “b,” which historically served as the default administrator password in older Sitecore versions.

This nostalgic callback became a critical security vulnerability when applied to internal service accounts that administrators typically never modify, following vendor guidance not to alter default user accounts.

Vulnerabilities in Sitecore Experience Platform

While the hardcoded credentials alone provide limited access, researchers demonstrated how they can be chained with additional vulnerabilities to achieve remote code execution.

The attack sequence involves authenticating with the compromised credentials, then exploiting file upload mechanisms to deploy malicious code on target servers.

Two separate post-authentication vulnerabilities enable the final compromise. The first involves a “zip slip” path traversal vulnerability in Sitecore’s file upload functionality, allowing attackers to write files outside intended directories.

The second affects the popular Sitecore PowerShell Extension, which permits unrestricted file uploads to arbitrary filesystem locations.

The complete attack chain requires no user interaction and can be executed remotely against any vulnerable Sitecore instance.

Once successful, attackers gain the ability to execute arbitrary code with the privileges of the web application, potentially leading to full server compromise.

Widespread Exposure Continues

Security firm watchTowr reported the vulnerabilities to Sitecore in February 2025, with patches becoming available in version 10.4 by May.

However, the delayed public disclosure until June 17, 2025, means many organizations may remain unaware of their exposure.

The vulnerability affects Sitecore installations deployed using vulnerable installers, though systems upgraded from earlier versions may not be impacted if they retained their original databases.

CVE identifiers are expected to be assigned following the public disclosure.

Organizations running Sitecore Experience Platform should immediately verify their version and apply available patches.

The combination of hardcoded credentials and file upload vulnerabilities represents a critical security risk that demands immediate attention from enterprise security teams.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.