CVE-2025-27218

Name of the Vulnerable Software and Affected Versions Sitecore Experience Manager (XM) and Experience Platform (XP) versions 8.2 through 10.4 before KB1002844

Description The issue lies in the insecure deserialization practices within the MachineKeyTokenService.IsTokenValid method, which improperly handles untrusted data from the ThumbnailsAccessToken HTTP header. This allows attackers to execute arbitrary code on vulnerable systems without authentication. The vulnerability affects various versions of Sitecore Experience Manager (XM) and Experience Platform (XP) and can lead to full server compromise and data exfiltration. With over 12,000 enterprise digital platforms globally using Sitecore, the implications of this vulnerability are significant.

Recommendations For Sitecore Experience Manager (XM) and Experience Platform (XP) versions 8.2 through 10.4 before KB1002844, apply the patch KB1002844 to resolve the issue. As a temporary workaround, consider disabling the MachineKeyTokenService.IsTokenValid method or restricting access to the ThumbnailsAccessToken HTTP header until a patch is available. Additionally, review security protocols to enhance defenses against similar vulnerabilities in the future.