Critical Security Holes Found in Sitecore XP: Hackers Could Take Over Your Server Without a Password

by

A chain of serious security vulnerabilities has been discovered in the Sitecore Experience Platform (XP), a popular system used by many businesses to manage their websites and digital content. These flaws are critical because they could allow attackers to completely take over a server running Sitecore XP without needing any password or login credentials beforehand. Security researchers have detailed these issues, emphasizing the urgent need for companies using affected versions to patch their systems immediately.

Contents

The core issue lies in a combination of flaws that create a path for attackers to gain unauthorized access and run their own code on the server. If your organization uses Sitecore XP, understanding these vulnerabilities and applying the available patches is crucial to protect your data and operations.

What Happened?

Researchers at watchTowr uncovered a sequence of three distinct vulnerabilities within Sitecore XP versions 10.1 through 10.4. By chaining these issues together, an attacker can bypass standard security measures and execute malicious code on the server. This means they could potentially steal data, disrupt services, or install malware.

Sitecore is a widely used enterprise Content Management System (CMS) that powers the online presence for thousands of organizations, including major banks, airlines, and global corporations. This widespread use means the potential impact of these vulnerabilities is significant.

Read more: CMF Watch 3 Pro Unveiled: Smarter Tracking, Longer Battery, Still Budget-Friendly

How the Attack Chain Works

The attack chain leverages a few weaknesses:

A Hidden User with a Simple Password

The first step exploits a built-in internal user named sitecoreServicesAPI. This user account had a hardcoded, easy-to-guess password: “b”. While this user isn’t an administrator and has no assigned roles in the traditional sense, the researchers found a way to authenticate using this account through an alternate login path (/sitecore/admin). This bypass worked because Sitecore’s backend login checks weren’t fully applied in certain contexts. Successfully authenticating this way provides the attacker with a valid session cookie, granting them a basic level of authenticated access to parts of the system that are usually protected.

Abstract image representing a digital breach or hacker access to a system like Sitecore.Abstract image representing a digital breach or hacker access to a system like Sitecore.

Tricking the System with a “Zip Slip” File

With a basic authenticated session, the attacker can then exploit a second vulnerability found in Sitecore’s Upload Wizard. This flaw is known as a “Zip Slip” vulnerability. When uploading a ZIP file through the wizard, an attacker can include malicious file paths inside the archive – for example, a path like //../webshell.aspx. Because Sitecore didn’t properly check or “sanitize” these paths, the system could be tricked into writing the malicious file outside the intended upload folder and directly into the server’s public webroot directory.

Uploading a file like webshell.aspx to the webroot allows the attacker to execute code remotely through a web browser. A webshell is a small script or application that provides a command-line interface via the web, giving the attacker control over the server.

Read more: The Verge Just Leveled Up Your News Feed: Get Ready for Personalized Tech!

An Even Easier Path with PowerShell Extensions

A third vulnerability makes exploitation even simpler if the Sitecore PowerShell Extensions (SPE) module is installed (which is common, often bundled with Sitecore Experience Accelerator, or SXA). This specific flaw allows an attacker to upload any file to any location they choose on the server, bypassing checks on file types or where the file should be saved. This provides a more direct and reliable way to upload a webshell or other malicious code and achieve Remote Code Execution (RCE).

Remote Code Execution (RCE) is exactly what it sounds like – the ability for someone to run commands on your computer or server from a different location over the internet.

Who is Affected and How Bad Is It?

These vulnerabilities impact Sitecore XP versions 10.1, 10.2, 10.3, and 10.4.

WatchTowr’s analysis identified over 22,000 Sitecore instances publicly accessible online. While not all of these may be running the vulnerable versions or configurations, it highlights a significant number of potential targets. The fact that Sitecore is used by many high-profile organizations amplifies the risk.

Read more: Next-Gen Xbox & PS6 Leaks: Is This AMD Chip the Heart of Microsoft’s Future Console?

“Sitecore is deployed across thousands of environments, including banks, airlines, and global enterprises — so the blast radius here is massive,” stated watchTowr CEO Benjamin Harris. He emphasized the severity, adding, “If you’re running Sitecore, it doesn’t get worse than this.”

Patches Are Available – But Act Fast

Sitecore released security patches to address these issues back in May 2025. However, the technical details and official identifiers (CVE IDs) for the vulnerabilities were kept confidential until June 17, 2025. This delay was intended to give customers time to apply the patches before the vulnerabilities became public knowledge, reducing the window for attackers to exploit them.

Now that the details are public, the risk of real-world attacks is considered imminent. The watchTowr researchers have published technical information sufficient for skilled attackers to understand and replicate the exploit chain.

What You Need to Do Now

If your organization uses Sitecore XP versions 10.1 through 10.4, you must take immediate action:

  1. Patch Immediately: Apply the official security patches released by Sitecore for your specific version. This is the most critical step.
  2. Rotate Credentials: As an extra precaution, change the passwords for any service accounts or built-in users, especially the sitecoreServicesAPI user if it wasn’t disabled or modified previously.

While there is no public evidence of these specific vulnerabilities being exploited in the wild yet, the high-risk nature and the public availability of technical details mean the threat level is extremely high. Do not delay patching.

Managing patches across an enterprise can be complex. For insights into how modern IT teams streamline this process, explore resources on automating patch management.

  • Related: New Veeam RCE flaw lets domain users hack backup servers
  • Related: Trend Micro fixes critical vulnerabilities in multiple products
  • Related: Exploit details for max severity Cisco IOS XE flaw now public

Related Posts

Animated GIF showing a user clicking to follow the 'AI' topic on The Verge website, personalizing their tech news feed.
The Verge Just Got Smarter: Personalized Feeds & Newsletters Are Here!
Color-coded diagram of the AMD Magnus APU, potentially the next-gen Xbox chip, showing its Zen 6 CPU and large graphics die.
Next-Gen Xbox & PS6 Leaks: Is This AMD Chip the Heart of Microsoft’s Future Console?
Conceptual image of a future Apple HomePod smart speaker with a large, integrated touchscreen display, showing smart home controls.
HomePod Gets a Screen? iOS 26 Leak Hints at ‘HomePod Touch’
Animated GIF showing a user following specific technology topics on The Verge website to personalize their news feed.
The Verge Just Leveled Up Your News Feed: Get Ready for Personalized Tech!
Conceptual render of Apple's upcoming HomePod device featuring an integrated touch screen, hinting at visual capabilities for smart home control and information display.
Apple’s Next Big Home Device: Is the “HomePod Touch” Coming with a Screen?
Orange CMF Watch 3 Pro showcasing its sleek design and bright strap from a side angle
CMF Watch 3 Pro Unveiled: Smarter Tracking, Longer Battery, Still Budget-Friendly
Smartphone displaying the Gmail app interface, symbolizing an overflowing email inbox or new email features.
Your Gmail is Still Flooded? Google’s Next Big Fix for Spam is Coming
A close-up view of the Google Pixel 10 Pro smartphone in a sleek, steely gray color, officially teased ahead of its launch event.
Google Just Teased the Pixel 10 Pro! Get an Early Look & Exclusive Offer
Donkey Kong Bananza's stunning visuals on Nintendo Switch 2, earning praise from the legendary artists behind Donkey Kong Country.
Original Donkey Kong Country Creators Give Thumbs Up to Smash Hit Donkey Kong Bananza on Switch 2
Google Keep notes and task list interface with cover image
Google Keep Reminders Are Moving to Tasks: What You Need to Know
Windows 11 Click to Do feature showing a highlighted paragraph being summarized by AI
Windows 11 Just Got Smarter: Powerful New AI Features Roll Out Now
Sony X90L 65-inch 4K LED Smart TV with vibrant display showcasing immersive content
Unleash Next-Gen Gaming: Sony X90L 4K TV Slashes Price to All-Time Low!
Google Play Services logo with abstract blue background, representing the core Android system updates
Google’s Latest Android Updates Bring Smarter Wear OS, Enhanced Apps, and Wallet Upgrades
An iPhone display showcasing the new iOS 26 Dynamic Wallpaper, featuring a smooth gradient of blue and purple tones, illustrating its automatic color-shifting capability.
Your iPhone’s Wallpaper Just Got Smarter: iOS 26 Beta 4 Unveils Dynamic Colors!
A sleek Kioxia LC9 Series SSD, showcasing its compact 2.5-inch form factor with a futuristic design, representing the cutting-edge of high-capacity data storage.
Kioxia LC9 SSD: How a Tiny Drive Now Stores a Staggering 245TB!
A striking visual of a game character in a dynamic pose, from a video discussing the future of AAA games.
The Fight for Your Digital Games: Why Ubisoft is Under Fire Over Game Preservation
Google Pixel 9a home screen showcasing the current Android user interface and app icons.
Google’s Android Updates Just Got More Confusing: Here’s What You Need to Know
A server rack with glowing lights, illustrating the hardware infrastructure managed by Windows Server 2019.
Urgent Alert: Windows Server 2019 Update Causing Cluster & VM Chaos – What Businesses Must Do
In-game screenshot from Grand Theft Auto 6 featuring a detailed character and bustling street scene, hinting at future PS5 Pro performance.
Could GTA 6 Hit 60fps on PS5 Pro? Unpacking the Latest Performance Rumor
Leaked image showing the Lenovo Legion Go 2 prototype in action, highlighting its new display features.
Lenovo Legion Go 2 Leak: A Game-Changing Handheld with a Stunning OLED Screen?
Sleek Oakley HSTN Meta smart glasses in gray with polarized lenses, showcasing their modern, rounded frame design.
Oakley Meta vs. Ray-Ban Meta Smart Glasses: Which AI Glasses Should You Choose?
Thomas Mahler, CEO of Moon Studios, clarifies console release plans for No Rest for the Wicked on X, addressing Xbox prioritization.
No Rest for the Wicked: Xbox Release Prioritized Behind PS5 & Switch 2 (For Now)
A digital interface showcasing educational content and tools from The Freelance Photographer, highlighting resources for aspiring photography professionals.
VSCO Unleashes Global Access for Capture Camera App and Bolsters Pro Photographers with Strategic Acquisition
The iconic front cover of Dungeons & Dragons module B2 The Keep on the Borderlands, featuring classic fantasy art.
Dungeons & Dragons: Why “The Keep on the Borderlands” Is Still the Ultimate Adventure After 46 Years
Screenshot of the Xbox PC application dashboard showing the 'Play History' section, featuring various game tiles ready for cross-device cloud play.
Seamless Gaming: Xbox Tests Feature That Syncs Your Cloud Games Across Devices
Close-up view of the nano SIM card slot on the Microsoft Surface Laptop 5G, positioned next to the Surface Connect charging port, highlighting its mobile connectivity feature.
Stay Connected Anywhere: Microsoft Unveils the New Surface Laptop 5G with AI Power!
Close-up view of the Gemini AI app icon displayed on the vibrant screen of a Samsung Galaxy Watch 8 Classic, highlighting the sleek Wear OS 6 interface and modern smartwatch capabilities.
Good News! Galaxy Watch 8 Now Pairs Perfectly with Android 16 Beta
Rear view of the Elgato Game Capture 4K S showing its HDMI in, HDMI out, and USB-C ports, ready for console and PC connection.
Elgato Game Capture 4K S: Affordable 4K Streaming Made Simple for Gamers
Diagram illustrating Rocket Lab's proposed dredging project for Sloop Gut channel to allow large Neutron rocket deliveries to Wallops Island
Rocket Lab’s Race Against Time: Battling Shallow Waters to Launch Neutron Rocket in Virginia
An Apple Watch interface concept showing a 'Focus Score' of 84, with colored segments representing different sleep stages like REM, Core, and Deep sleep, as discovered in iOS 26 code.
Your Apple Watch May Soon Offer a Sleep Score: A New Era for Your Health Data
OneXSugar Sugar 1 handheld displaying vibrant RGB lighting on its grips and analog sticks, with the secondary screen deployed as a convenient kickstand for tabletop gaming.
OneXSugar Sugar 1: The Wild Dual-Screen Handheld That Could Redefine Portable Gaming
Close-up of the Google Pixel 9 Pro's distinctive camera bar in Rose Quartz, highlighting its premium design.
From Samsung Superfan to Pixel Convert? My Month with the Google Pixel 9 Pro
A smart television screen with red 'buy' icons crossed out, symbolizing a user's initial hesitation about integrated smart TVs.
Your TV Can Be a Smart Home Hub: How Google TV Streamer Changed My Mind
Grand Theft Auto 6 logo against a backdrop of Vice City, symbolizing the potential for high frame rates on PS5 Pro.
Will GTA 6 Hit 60fps on PS5 Pro? Sony Engineers May Be Lending a Hand
Blue Origin's towering New Glenn rocket launching into the night sky, showcasing its powerful debut.
Mars Mission Onboard: Blue Origin’s New Glenn Rocket Set for Exciting Second Launch
A Warframe character, a sci-fi space ninja, navigates a smoky, destroyed trench battlefield, echoing World War I imagery in The Old Peace expansion. The scene highlights the game's shift to a more somber narrative.
Warframe’s “The Old Peace”: A Deep Dive into WWI-Inspired Sci-Fi Conflict
HPE (Hewlett Packard Enterprise) logo on a modern, dark background, symbolizing network security and enterprise solutions.
IMMEDIATE ACTION: Critical Security Flaws Found in HPE Aruba Instant On Wi-Fi Devices!
Vibrant screenshot of a hovercraft speeding through a futuristic cityscape in Fast Fusion, showcasing the Nintendo Switch 2's impressive graphics for sci-fi racing.
Fast Fusion Review: The Surprising $15 Racer Redefining Switch 2 Graphics
A person's hand holding a smartphone with a tent in the background, superimposed with a smart TV screen showing crossed-out shopping icons, illustrating a shift away from integrated smart TVs.
Level Up Your Living Room: Why Your TV Needs a Google TV Streamer as Your Smart Home Hub
Close-up of a Google Pixel 8 Pro in a unique color, highlighting its distinctive camera bar design.
Unforgettable Shades: Ranking the Best Google Pixel Phone Colors Ever!