Security researchers at watchTowr Labs have uncovered a devastating chain of vulnerabilities in Sitecore Experience Platform that could allow attackers to completely compromise enterprise websites without authentication.
The research reveals how cybercriminals could poison website cache systems, escalate privileges, and execute remote code on systems used by thousands of organizations worldwide.
HTML Cache Poisoning Enables Attacks
The most concerning vulnerability, designated CVE-2025-53693, centers on an HTML cache poisoning technique that requires no user credentials to execute.
Researchers discovered they could exploit unsafe reflection mechanisms in Sitecore’s XamlPageHandlerFactory to manipulate cached website content, effectively allowing attackers to inject malicious code into legitimate pages viewed by unsuspecting visitors.
The attack works by targeting Sitecore’s caching system through a previously overlooked pathway in the platform’s XAML handler.
By crafting specific HTTP requests to the “/-/xaml/” endpoint, attackers can invoke the AddToCache method to overwrite legitimate cached HTML content with malicious payloads.
This technique is particularly dangerous because it affects the actual content served to website visitors, making detection extremely difficult.
Key aspects of the cache poisoning vulnerability include:
- Zero authentication required – Attackers can exploit this vulnerability without any valid credentials.
- Direct content manipulation – Malicious HTML can replace legitimate cached content served to users.
- Stealth operation – The poisoned cache appears to function normally, making detection challenging.
- Widespread impact potential – Any cached content on affected Sitecore instances becomes a potential target.
What makes this vulnerability especially severe is the ease with which cache keys can be enumerated when Sitecore’s ItemService API is exposed to the internet – a configuration that researchers found surprisingly common.
When this API is accessible, attackers can systematically identify all cacheable items on a website and their associated cache keys, turning what might be a blind attack into a precisely targeted assault.
Even in restricted environments, the researchers developed techniques to brute-force cache keys through timing attacks and response analysis.
RCE via Deserialization Flaws
Building on the cache poisoning capability, researchers identified a post-authentication remote code execution vulnerability (CVE-2025-53691) that completes the attack chain.
This flaw exploits insecure deserialization in Sitecore’s ConvertToRuntimeHtml pipeline, where user-controlled HTML content is processed without proper security validation.
The vulnerability lies in Sitecore’s use of the unsafe BinaryFormatter for deserializing base64-encoded objects embedded in HTML content.
Attackers can craft malicious HTML containing specially encoded deserialization gadgets that, when processed by the vulnerable pipeline, execute arbitrary code on the target server.
The attack can be triggered through Sitecore’s Content Editor functionality, requiring only basic content editing privileges rather than full administrative access.
Particularly concerning is that this deserialization sink appears to be a legacy issue that Sitecore attempted to address by removing accessible routes to the vulnerable code rather than fixing the underlying security flaw.
The watchTowr research demonstrates that alternative pathways to trigger this vulnerability still exist, leaving systems exposed even after previous security updates.
Critical Impact Timeline
The vulnerabilities affect Sitecore Experience Platform version 10.4.1 and potentially earlier versions, impacting an estimated 22,000 Sitecore instances worldwide according to internet scanning data.
The affected systems include websites operated by major enterprises across various industries, making the potential impact substantial.
Sitecore responded promptly to the disclosure, releasing patches in June and July 2025 after receiving the vulnerability reports in February and March.
However, the extended timeline between discovery and patching highlights the complexity of addressing deeply embedded security flaws in enterprise content management systems.
The research emphasizes a concerning trend where security vulnerabilities in popular enterprise platforms can create cascading effects across thousands of organizations.
The combination of pre-authentication cache poisoning with post-authentication code execution represents a complete compromise scenario that could allow attackers to establish persistent access to target environments.
Organizations using Sitecore Experience Platform should immediately verify they have applied the latest security patches and review their ItemService API configurations to ensure they are not unnecessarily exposed to internet-based attacks.
The discovery serves as a stark reminder of the importance of regular security assessments for critical enterprise infrastructure components.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
