Sitecore XP Insecure Deserialization (SC2025-005)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(261484);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/09/06");

  script_cve_id("CVE-2025-53770", "CVE-2025-53771", "CVE-2025-53690");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2025/07/21");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2025/09/25");

  script_name(english:"Sitecore XP Insecure Deserialization (SC2025-005)");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an application that is affected by an insecure deserialization vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Sitecore XP running on the remote host is affected by an insecure deserialization vulnerability.
Sitecore deployments using the sample key provided with deployment instructions for XP 9.0 or earlier and Active
Directory 1.4 are potentially vulnerable to an insecure ViewState deserialization vulnerability that could allow a
remote, unauthenticated attacker to perform remote code execution and acquire non-authorized access to information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ac511333");
  script_set_attribute(attribute:"solution", value:
"See vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-53690");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2025-53770");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution (aka ToolShell)');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/09/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/09/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/09/05");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:sitecore:experience_platform");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("sitecore_cms_detect.nasl");
  script_require_keys("installed_sw/sitecore_cms", "Settings/ParanoidReport");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}

include('http.inc');
include('vcf.inc');
include('vcf_extras.inc');

# Not checking for sample machine key configuration
if (report_paranoia < 2)
  audit(AUDIT_PARANOID);

var port = get_http_port(default:80);
var app_info = vcf::sitecore_xp::get_app_info();

# As of writing the vendor's advisory indicates that any version could be vulnerable
var constraints = [
  {'max_version' : '999.0.0.0.9999999', 'fixed_display' : 'See vendor advisory'}
];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_HOLE
);