CVE-2025-34509

Name of the Vulnerable Software and Affected Versions Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 through 10.1.4 rev. 011974 PRE Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.2 Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.3 through 10.3.3 rev. 011967 PRE Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.4 through 10.4.1 rev. 011941 PRE

Description The affected software contains a hardcoded user account. Unauthenticated and remote attackers can leverage this account to access the administrative API over HTTP. The hardcoded account is named 'ServicesAPI' with the password 'b'. This allows for a pre-authentication remote code execution chain.

Recommendations Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 through 10.1.4 rev. 011974 PRE: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.2: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.3 through 10.3.3 rev. 011967 PRE: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.4 through 10.4.1 rev. 011941 PRE: At the moment, there is no information about a newer version that contains a fix for this vulnerability.