A chain of Sitecore Experience Platform (XP) vulnerabilities allows attackers to perform remote code execution (RCE) without authentication to breach and hijack servers.

Sitecore is a popular enterprise CMS used by businesses to create and manage content across websites and digital media.

Discovered by watchTowr researchers, the pre-auth RCE chain disclosed today consists of three distinct vulnerabilities. It hinges on the presence of an internal user (sitecoreServicesAPI) with a hardcoded password set to “b”, making it trivial to hijack.

This built-in user isn’t an admin and has no assigned roles. However, the researchers could still use it to authenticate via an alternate login path (/sitecore/admin) due to Sitecore’s backend-only login checks being bypassed in non-core database contexts.

The result is a valid “.AspNet.Cookies” session, granting the attacker authenticated access to internal endpoints protected by IIS-level authorization but not Sitecore role checks.

With this initial foothold secured, attackers can exploit the second vulnerability, a Zip Slip flaw in Sitecore’s Upload Wizard.

As watchTowr explains, a ZIP file uploaded via the wizard can contain a malicious file path like //../webshell.aspx. Due to insufficient path sanitization and the way Sitecore maps paths, this results in writing arbitrary files into the webroot, even without knowledge of the full system path.

This enables the attacker to upload a webshell and execute remote code.

A third vulnerability becomes exploitable when the Sitecore PowerShell Extensions (SPE) module is installed (commonly bundled with SXA).

This flaw allows an attacker to upload arbitrary files to attacker-specified paths, bypassing extension or location restrictions entirely and providing a simpler route to reliable RCE.

Impact and risk

The three vulnerabilities reported by watchTowr affect Sitecore XP versions 10.1 through 10.4.

WatchTowr’s scans show over 22,000 publicly exposed Sitecore instances, highlighting a significant attack surface, though not all are necessarily vulnerable.

Patches addressing the issues were made available in May 2025, but the CVE IDs and technical details were embargoed until June 17, 2025, to give customers time to update.

“Sitecore is deployed across thousands of environments, including banks, airlines, and global enterprises — so the blast radius here is massive,” commented watchTowr CEO Benjamin Harris to BleepingComputer.

“And no, this isn’t theoretical: we’ve run the full chain, end-to-end. If you’re running Sitecore, it doesn’t get worse than this – rotate creds and patch immediately before attackers inevitably reverse engineer the fix.”

As of writing, there is no public evidence of exploitation in the wild.

However, watchTowr’s technical blog contains enough detail to build a fully working exploit, so the risk of real-world abuse is imminent.