March 11 Advisory: Unauthenticated RCE Vulnerability in Sitecore Experience Platform & Manager [CVE-2025-27218]
Date of Disclosure (source): February 20, 2025
CVE-2025-27218 is an unauthenticated remote code execution (RCE) vulnerability affecting Sitecore Experience Platform and Experience Manager version 10.4 before KB1002844 (vendor hotfix).
CISA-ADP assigned this vulnerability a CVSS score of 5.3, which seems oddly low considering it doesn’t require authentication and allows for RCE.
Dylan Pindur and researchers from Searchlight Cyber traced the flaw to misuse of the BinaryFormatter class in Convert.Base64ToObject, which deserializes encoded strings without validation.
More specifically, the MachineKeyTokenService.IsTokenValid method accepts a ThumbnailsAccessToken header, decodes it using BinaryFormatter, and processes the decoded data without validation. Searchlight Cyber’s proof of concept (PoC) demonstrates this flaw by passing a payload to ThumbnailsAccessToken, triggering a 500 error from the server. Shortly after, they successfully executed their payload on the filesystem.
This vulnerability is not known to be actively exploited at the time of writing. However, this is an unauthenticated RCE vulnerability with a working PoC, meaning the barrier to exploitation is extremely low. Sitecore users should apply the vendor’s hotfix immediately.
| Field | Details | |||||
|---|---|---|---|---|---|---|
| CVE-ID | CVE-2025-27218 – CVSS 5.3 (medium) – assigned by CISA-ADP | |||||
| Vulnerability Description | Sitecore Experience Manager and Experience Platform 10.4 (before KB1002844) contain an insecure deserialization flaw that allows for RCE without authentication. | |||||
| Date of Disclosure | February 20, 2025 | |||||
| Affected Assets | MachineKeyTokenService.IsTokenValid method in Sitecore Experience Manager and Experience Platform | |||||
| Vulnerable Software Versions | 10.4 before KB1002844 (vendor hotfix) | |||||
| PoC Available? | A PoC writeup was published by Dylan Pindur from Searchlight Cyber. | |||||
| Exploitation Status | We did not observe this vulnerability on CISA’s list of known exploited vulnerabilities or in GreyNoise at the time of writing. | |||||
| Patch Status | This vulnerability has been patched. Refer to the vendor advisory for details on applying the fix. | |||||
Censys Perspective
At the time of writing, Censys observed 1,418 instances of Sitecore Experience Platform online. 1,366 of these did not expose a version, although this does not necessarily indicate that they are not vulnerable. In the rare cases where a version was exposed, none were running 10.4 and were, therefore, unaffected by this exploit. Additionally, we were unable to detect instances of Sitecore Experience Manager.
Map of Exposed Sitecore Experience Platform Instances:
services.software: (vendor="Sitecore" and product="Experience Platform")
host.services.software: (vendor:"Sitecore" and product:"Experience Platform") or web.software: (vendor:"Sitecore" and product:"Experience Platform")
host.services.software: (vendor="Sitecore" and product="Experience Platform")
risks.name = "Vulnerable Sitecore Experience Platform [CVE-2025-27218]"
Please note that these fingerprints and associated risk were recently deployed, and results may take up to 24 hours to fully propagate.
