The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially incorporated two significant six-year-old vulnerabilities affecting the Sitecore Content Management System and Experience Platform into its Known Exploited Vulnerabilities (KEV) catalog. This addition follows credible evidence indicating that these flaws are being actively targeted by malicious actors.
The first vulnerability, identified as CVE-2019-9874, has been assigned a high severity CVSS score of 9.8. It pertains to a deserialization flaw within the Sitecore.Security.AntiCSRF module, whereby an unauthenticated adversary can execute arbitrary code by transmitting a serialized .NET object through the HTTP POST parameter ‘__CSRFTOKEN’. On the other hand, CVE-2019-9875, which also involves a deserialization vulnerability in the same module, has a CVSS score of 8.8 and allows authenticated attackers to perform similar arbitrary code execution using the same parameter.
There is currently limited information available regarding the specific methods of exploitation being utilized in the wild, although Sitecore itself reported on March 30, 2020, that it had detected active exploitation of CVE-2019-9874. The company, however, has not indicated any known exploitation for CVE-2019-9875. In response to these vulnerabilities, federal agencies are under mandate to implement necessary patches by April 16, 2025, to safeguard their systems.
In a related cybersecurity landscape update, Akamai disclosed that it has noticed initial attempts at exploiting a newly identified critical vulnerability affecting the Next.js web framework, coded as CVE-2025-29927, which bears a CVSS score of 9.1. This vulnerability allows for an authorization bypass, potentially enabling attackers to circumvent middleware-based security protocols by spoofing a specific header, thereby granting unauthorized access to sensitive application resources.
Techniques highlighted by Akamai reveal the use of the ‘x-middleware-request’ header, which, when manipulated, mimics multiple internal subrequests in a single request. This method triggers the internal redirection logic of Next.js, echoing certain publicly available proof-of-concept exploits.
The urgent whistle on these vulnerabilities follows a warning from GreyNoise about ongoing exploitation attempts targeting various known vulnerabilities in DrayTek devices. Recent observations indicate active exploit attempts against several CVE identifiers, including CVE-2020-8515, which allows remote code execution due to an operating system command injection vulnerability affecting multiple DrayTek router models.
Countries such as Indonesia, Hong Kong, and the United States have been identified as primary destinations for the attack traffic associated with CVE-2020-8515. Meanwhile, Lithuania, the United States, and Singapore are noted as focal points for assaults leveraging CVE-2021-20123 and CVE-2021-20124, both of which allow for unauthorized file access on DrayTek VigorConnect systems.
Considering the profile of these attacks, methodologies linked to the MITRE ATT&CK framework include common adversary tactics such as initial access through exploiting unpatched vulnerabilities, privilege escalation, and lateral movement. Business owners are strongly encouraged to prioritize vulnerability management and stay informed about emerging threats to fortify their cybersecurity posture.
