CVE-2025-34511

HIGH EPSS 94.4%
Published Jun 17, 20251y ago · Modified Jun 17, 20261w ago
8.8 CVSS 3.1
High
Find Similar
Published Jun 17, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manager (XM) and Experience Platform (XP), through version 7.0 is vulnerable to an unrestricted file upload issue. A remote, authenticated attacker can upload arbitrary files to the server using crafted HTTP requests, resulting in remote code execution.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
94.4% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-434 Unrestricted Upload of File with Dangerous Type Resource Mgmt

Affected Products 5

VendorProductVersionRange
sitecoreexperience_commerce*≥9.0  –  ≤10.4
sitecoreexperience_manager*≥9.0  –  ≤10.4
sitecoreexperience_platform*≥9.0  –  <10.4
sitecoreexperience_platform10.4any
sitecoremanaged_cloud*any

References 2

  • labs.watchtowr.com https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform/
    ExploitThird Party Advisory
  • support.sitecore.com https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.