Critical RCE Threat from Hard-Coded ‘b’ Password in Sitecore XP Exposes Enterprises

June 17, 2025
Vulnerability / Enterprise Software

Cybersecurity experts have identified three significant vulnerabilities in the widely-used Sitecore Experience Platform (XP) that could be exploited to achieve pre-authenticated remote code execution (RCE). Sitecore XP is an enterprise software solution that offers tools for content management, digital marketing, and analytics.

The vulnerabilities are as follows:

  • CVE-2025-34509 (CVSS score: 8.2) – Use of hard-coded credentials
  • CVE-2025-34510 (CVSS score: 8.8) – Post-authenticated RCE via path traversal
  • CVE-2025-34511 (CVSS score: 8.8) – Post-authenticated RCE via Sitecore PowerShell Extension

Researcher Piotr Bazydlo from watchTowr Labs pointed out that the default user account “sitecore\ServicesAPI” has a hard-coded single-character password set to “b.” Notably, Sitecore’s documentation advises against altering default credentials. Although the user account lacks roles and permissions, the vulnerabilities still pose a serious risk.

Critical Security Flaws Discovered in Sitecore XP Could Lead to Remote Code Execution Risks

On June 17, 2025, cybersecurity researchers revealed several significant vulnerabilities in the widely-used Sitecore Experience Platform (XP), posing a grave risk of remote code execution (RCE) in enterprise environments. Sitecore XP, renowned for its capabilities in content management, digital marketing, and analytics, primarily serves large organizations looking to enhance their digital presence and engagement.

The disclosed vulnerabilities include hard-coded credentials and two vectors for post-authenticated RCE, which could potentially be exploited in succession. The first vulnerability, designated CVE-2025-34509, has a CVSS score of 8.2 and stems from the usage of hard-coded credentials. Additionally, two other vulnerabilities, CVE-2025-34510 and CVE-2025-34511, both scoring 8.8, allow for post-authenticated remote code execution via path traversal and through the Sitecore PowerShell Extension respectively.

Research conducted by expert Piotr Bazydlo from watchTowr Labs indicated that the default account “sitecore\ServicesAPI” is compromised by a single-character password that is hard-coded to “b.” Alarmingly, Sitecore’s own documentation discourages users from changing the default credentials, further compounding the security risk. Despite this account lacking assigned roles and permissions, its default access level may provide a vector for malicious actors to exploit the vulnerabilities present in the system.

Organizations utilizing the Sitecore XP platform, primarily based in the United States, could be at significant risk if these vulnerabilities remain unaddressed. The nature of these security flaws suggests that initial access could potentially be gained through exploitation of hard-coded credentials, leading to further unauthorized actions within the system. Following this initial breach, an attacker could utilize techniques classified under privilege escalation to conduct post-authenticated RCE, making the initial foothold a critical stage in the attack.

In light of these findings, stakeholders must prioritize the immediate assessment of systems using the Sitecore XP platform. Given the sophistication of the identified vulnerabilities, a careful review of asset protection measures, user account management, and incident response protocols is essential to mitigate risks associated with potential exploitation.

The implications of these vulnerabilities extend beyond immediate technical concerns, underscoring the need for robust cybersecurity practices in enterprise software environments. Organizations should be vigilant in monitoring for unusual activity and should consider employing additional security measures, such as multifactor authentication, to safeguard their systems against similar threats in the future. By understanding the tactics and techniques outlined in the MITRE ATT&CK framework, businesses can better prepare themselves to defend against potential cyber threats and safeguard their valuable digital assets.

Source link

Related Posts

ConnectWise to Update ScreenConnect Code Signing Certificates Following Security Concerns

June 12, 2025
Vulnerability / Software Security

ConnectWise has announced plans to rotate the digital code signing certificates for ScreenConnect, ConnectWise Automate, and ConnectWise remote monitoring and management (RMM) executables due to security risks. This decision follows concerns raised by a third-party researcher regarding the handling of specific configuration data in earlier versions of ScreenConnect. While the company has not publicly detailed the issue, additional information has been provided in a non-public FAQ for customers, which later surfaced on Reddit. The concern relates to ScreenConnect’s method of storing configuration data in an unsigned area of the installer, which is utilized for passing connection information (such as the callback URL for the agent) without compromising the signature.

Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction

June 12, 2025
Artificial Intelligence / Vulnerability

A new attack method called EchoLeak has been identified as a “zero-click” AI vulnerability, enabling malicious actors to extract sensitive data from Microsoft 365 (M365) Copilot without any user involvement. This critical vulnerability has been assigned CVE identifier CVE-2025-32711, with a CVSS score of 9.3. It requires no action from users and has already been addressed by Microsoft, with no reported instances of exploitation. According to a recent advisory, “AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.” This vulnerability has been included in Microsoft’s June 2025 Patch Tuesday updates, bringing the total number of fixed vulnerabilities to 68. Aim Security, which discovered and reported the issue, noted that it exemplifies a large language model (LLM) Scope Violation that leads to indirect prompt injection risks.

Apple Fixes Zero-Click Vulnerability in Messages App Used for Targeted Spyware Attacks on Journalists

June 13, 2025
Spyware / Vulnerability

Apple has revealed that a recently patched security flaw in its Messages app was actively exploited to carry out sophisticated cyber attacks on civil society members. Identified as CVE-2025-43200, the vulnerability was remedied on February 10, 2025, through updates to iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5, macOS Sequoia 15.3.1, macOS Sonoma 14.7.4, macOS Ventura 13.7.4, watchOS 11.3.1, and visionOS 2.3.1. According to the company, “A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link,” which was resolved with improved security checks. Apple also acknowledged awareness that this vulnerability may have been exploited in “extremely sophisticated” attacks targeting specific individuals. Notably, the updates for iOS 18.3.1, iPadOS 18.3.1, and iPadOS 17.7.5 also fixed another actively exploited zero-day vulnerability, CVE-2025-24200.

Ransomware Groups Exploit Unpatched SimpleHelp Vulnerabilities for Double Extortion Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported on Thursday that ransomware criminals are taking advantage of unpatched SimpleHelp Remote Monitoring and Management (RMM) systems to compromise clients of an unnamed utility billing software provider. “This incident highlights a growing trend of ransomware groups exploiting unpatched versions of SimpleHelp RMM since January 2025,” the agency stated in an advisory. Earlier this year, SimpleHelp identified several vulnerabilities (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that could lead to information disclosure, privilege escalation, and remote code execution. These vulnerabilities have been actively exploited, including by ransomware groups like DragonForce, to breach specific targets. In a recent report, Sophos revealed that a Managed Service Provider’s SimpleHelp system was compromised by threat actors using these flaws.