CISA Adds Sitecore CMS Code Execution Vulnerability to List of Known Exploited Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added two critical Sitecore CMS vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. 

The vulnerabilities, CVE-2019-9874 and CVE-2019-9875, both affect the Sitecore.Security.AntiCSRF module could allow attackers to execute arbitrary code on vulnerable systems.

Critical Vulnerabilities Details and Impact

CVE-2019-9874, with a CVSS score of 9.8, represents a severe security risk as it allows unauthenticated attackers to exploit a deserialization vulnerability to achieve remote code execution. 

The exploit focuses on tampering with the __CSRFTOKEN HTTP POST parameter by injecting a maliciously crafted serialized .NET object.

The second vulnerability, CVE-2019-9875 (CVSS 8.8), affects the same module but requires authentication.  While this presents a higher barrier to entry, the attack’s simplicity and potential impact remain significant. 

Once logged in, threat actors can weaponize the same deserialization vector to hijack the server.

“The deserialization vulnerability occurs at a stage prior to application logic execution, allowing attackers to bypass security controls entirely.”

Using tools like ysoserial.net, attackers can encode payloads that execute PowerShell commands to establish remote shells or deploy malware without triggering typical security alarms.

The vulnerabilities are summarized as follows:

Risk Factors	CVE-2019-9874	CVE-2019-9875
Affected Products	Sitecore CMS 7.0–7.2 and XP 7.5–8.2	Sitecore versions up to 9.1.0
Impact	Remote Code Execution	Remote Code Execution
Exploit Prerequisites	Unauthenticated access	Authenticated access
CVSS 3.1 Score	9.8 (Critical)	8.8 (High)

These vulnerabilities affect multiple versions of Sitecore software:

• CVE-2019-9874 impacts Sitecore CMS 7.0–7.2 and XP 7.5–8.2
• CVE-2019-9875 affects Sitecore versions up to 9.1.0

CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies apply available patches no later than April 16, 2025. The vulnerabilities were added to the KEV catalog on March 26, 2025, signaling their active exploitation status.

Mitigation Measures

Sitecore released fixes shortly after the initial discovery of these vulnerabilities in 2019, but many organizations remain unpatched. Mitigation options include:

• For versions prior to 9.0, a hotfix is available via Sitecore KB Article 334035
• For versions 9.0 and above, upgrading to Sitecore 9.1 Update-1 resolves the issue

Organizations unable to immediately apply patches can implement temporary workarounds by denying access to the Websitesitecoreshell folder on all Sitecore instances or implementing IP-based restrictions to limit access to trusted addresses.

“Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework,” CISA advises.

The resurgence of these six-year-old vulnerabilities highlights the persistent nature of security threats, even for previously disclosed and patched issues. 

Security professionals are urged to review their Sitecore deployments immediately and take appropriate action to mitigate these actively exploited vulnerabilities.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The post CISA Adds Sitecore CMS Code Execution Vulnerability to List of Known Exploited Vulnerabilities appeared first on Cyber Security News.