Sitecore Experience Remote Code Execution through Insecure Deserialization_CVE-2025-53691

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).This issue affects Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.

Basic Information

ID CVE-2025-53691

Source Wiz

Published Sep 3, 2025 at 12:36

Modified Sep 3, 2025 at 13:28

Affected Product

Vendor Sitecore

Product Experience Manager (XM)

Version 9.0

Affected Versions Sitecore Experience Manager (XM) 9.0
Sitecore Experience Manager (XM) 10.0
Sitecore Experience Platform (XP) 9.0
Sitecore Experience Platform (XP) 10.0

CWE Classification

CWE-502

References

{
    "lastseen": "",
    "description": "Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).This issue affects Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.",
    "published": "2025-09-03T12:36:59.561Z",
    "modified": "2025-09-03T13:28:29.351Z",
    "type": "cve",
    "title": "Sitecore Experience Remote Code Execution through Insecure Deserialization",
    "source": "Wiz",
    "references": "https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/\nhttps://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667",
    "id": "CVE-2025-53691",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "Sitecore Experience Manager (XM) 9.0\nSitecore Experience Manager (XM) 10.0\nSitecore Experience Platform (XP) 9.0\nSitecore Experience Platform (XP) 10.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Experience Manager (XM)",
    "version": "9.0",
    "vendor": "Sitecore",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}