CVE-2025-34139

HIGH EPSS 36.7%

Published Jul 25, 202511mo ago · Modified Jun 17, 20261w ago

8.7 CVSS 4.0

High

Published Jul 25, 2025 11mo ago

Last Modified Jun 17, 2026 1w ago

Description

A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected.

CVSS Details

Base Score

8.7

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

36.7% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-522

CWE-552

References 3

support.sitecore.com https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003650
support.sitecore.com https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003661
vulncheck.com https://www.vulncheck.com/advisories/sitecore-xm-xp-xc-managed-cloud-arbitrary-file-read

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.