On June 17, 2025, watchTowr disclosed technical details for a pre-authenticated remote code execution (RCE) exploit chain in Sitecore Experience Platform (XP), an enterprise content management system. Although Sitecore released a fix for these vulnerabilities in May 2025, no official CVE identifiers have been assigned at this time. The three vulnerabilities are currently tracked as WT-2025-0024, WT-2025-0025, and WT-2025-0032 by watchTowr and impact Sitecore XP versions 10.1 through 10.4.
- WT-2025-0024 (Hardcoded ServicesAPI User Credentials): Sitecore XP contains a built-in service account with a hardcoded password, enabling unauthenticated attackers to bypass authentication and gain unauthorized access.
- WT-2025-0025 (Post-Authentication RCE via Sitecore PowerShell Extension): The Sitecore PowerShell Extensions module’s file upload lacks proper validation, letting authenticated threat actors upload malicious files that enable RCE.
- WT-2025-0032 (Post-Authentication RCE via Path Traversal): An upload feature vulnerable to path traversal allows authenticated threat actors to upload a crafted ZIP file containing malicious code, which leads to RCE.
While Arctic Wolf has not observed exploitation of these vulnerabilities in the wild, Sitecore vulnerabilities have been exploited in the past, as noted in CISA’s Known Exploited Vulnerabilities (KEV) catalog. With technical details now publicly available, threat actors may attempt to develop exploits in the near future.
Recommendation
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Versions | Fixed Version |
| Sitecore XP | 10.1 – 10.4 | 10.4 (May 2025 Update) |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
References
Resources
