A newly disclosed critical vulnerability in Sitecore Experience Platform (CVE-2025-27218) allows unauthenticated attackers to execute arbitrary code on unpatched systems.
The flaw, rooted in insecure deserialization practices, affects Sitecore Experience Manager (XM) and Experience Platform (XP) versions 8.2 through 10.4 prior to patch KB1002844.
Security firm Assetnote discovered the vulnerability, which leverages Sitecore’s misuse of the deprecated BinaryFormatter class to bypass authentication checks and deploy malicious payloads.
Critical Sitecore 0-Day Vulnerability
The vulnerability resides in the MachineKeyTokenService.IsTokenValid method, which deserializes untrusted data from the ThumbnailsAccessToken HTTP header using Convert.Base64ToObject a custom wrapper around BinaryFormatter.
Critically, the deserialization occurs before decryption, enabling attackers to inject crafted payloads directly into the processing pipeline.
Attackers exploit this by generating a malicious serialized object using tools like ysoserial.net, targeting the WindowsIdentity gadget chain to execute operating system commands. For example, the following payload creates a file confirming code execution:
The resulting Base64-encoded payload is inserted into the ThumbnailsAccessToken header.
Sitecore’s AuthenticateThumbnailsRequest HTTP processor part of the httpRequestBegin pipeline parses this header without authentication checks, leading to immediate deserialization and payload activation.
With Sitecore powering over 12,000 enterprise digital platforms globally, this vulnerability poses systemic risks:
- Pre-Auth RCE: Exploitation requires no credentials, enabling mass scanning and attack automation.
- Full Server Compromise: Successful attacks grant IIS APPPOOLSitecore privileges, allowing lateral movement and data exfiltration.
- Business Disruption: Malicious actors could deface websites, inject malware, or cripple CMS operations.
Assetnote’s analysis highlights how the flawed implementation of BinaryFormatter—a .NET class Microsoft explicitly warns against using created an avoidable attack surface.
Sitecore’s attempt to serialize byte arrays via this mechanism introduced unnecessary risk, compounded by misordered decryption steps.
Mitigations
Sitecore released a patch to address CVE-2025-27218, urging customers to:
- Immediately upgrade to Sitecore 10.4 or apply the security hotfix.
- Validate HTTP pipelines for unauthorized BinaryFormatter usage.
- Monitor for anomalous ThumbnailsAccessToken header activity.
For organizations unable to patch immediately, Microsoft recommends enforcing Serialization Binder restrictions or disabling BinaryFormatter entirely via runtime configuration.
This incident underscores persistent challenges in secure deserialization practices. Despite widespread awareness of BinaryFormatter risks since at least 2017, its continued use in enterprise software illustrates the gap between vulnerability research and developer education.
As of March 6, 2025, no in-the-wild exploits have been confirmed, but unpatched systems remain critically exposed. Organizations using Sitecore must prioritize remediation to prevent large-scale breaches.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free