Critical vulnerabilities in Sitecore Experience Platform, one of the most widely deployed enterprise content management systems, potentially expose over 22,000 instances worldwide to complete system compromise. 

The vulnerabilities, discovered by watchTowr researchers, allow attackers to gain full control of Sitecore deployments through a combination of hardcoded credentials and file upload flaws that enable remote code execution.

Hardcoded Password Creates Universal Backdoor

The most significant discovery involves hardcoded credentials embedded within Sitecore’s installation packages. 

Researchers found that the sitecore\ServicesAPI user account is configured with an astonishingly weak password consisting of a single letter: “b”. 

This trivial password affects all Sitecore installations from version 10.1 onwards, created through what appears to be a catastrophic oversight in the product’s build process.

The vulnerability stems from the installer’s database seeding mechanism, where user credentials are pre-defined in the dbo.aspnet_Membership table using the hash format base64encode(sha1(base64decode(salt) + utf-16-le-encode(password))). 

Analysis of the installer’s .dacpac files revealed that these weak credentials are baked directly into the product distribution, meaning every Sitecore installation shares identical internal user passwords.

Authentication bypass is achieved by targeting the /sitecore/admin endpoint rather than the standard /sitecore login path, as the admin site lacks the core database restriction that would normally block the ServicesAPI user. 

This allows attackers to generate valid session cookies and bypass critical authorization rules protecting sensitive system directories.

Path Traversal Vulnerabilities 

Once authenticated, attackers can exploit two separate post-authentication vulnerabilities to achieve remote code execution. 

The first involves a zip slip vulnerability in the Upload2.aspx file, accessible through the /sitecore/shell/Applications/Dialogs/Upload/ directory. 

By crafting malicious ZIP archives containing files with traversal sequences like /\/../webshell.aspx, attackers can write arbitrary files to the web root directory.

The vulnerability lies in the SaveUnpackedFiles method, which processes ZIP entries without proper path validation, reads the WatchTower Labs report.

The code uses FileUtil.MakePath(args.Folder, zipArchiveEntry.FullName, ‘\\’) to construct file paths, but fails to sanitize directory traversal sequences. 

A clever exploitation technique leverages the FileUtil.MapPath() function to automatically resolve the correct web root path, eliminating the need for attackers to know the specific installation directory structure.

A second, simpler vulnerability exists in the Sitecore PowerShell Extension module through the PowerShellUploadFile2.aspx endpoint. 

This flaw allows unrestricted file uploads to arbitrary filesystem locations by manipulating the ItemUri parameter in POST requests to /sitecore%20modules/Shell/PowerShell/UploadFile/PowerShellUploadFile2.aspx

The vulnerabilities affect a significant portion of enterprise infrastructure, with researchers identifying over 22,000 potentially vulnerable Sitecore instances exposed to the internet. 

The combination of hardcoded credentials and file upload flaws creates a particularly dangerous attack scenario, as no user interaction or social engineering is required for complete system compromise.

Sitecore has reportedly patched these vulnerabilities, with fixes available for over a month prior to the June 17, 2025, disclosure date. 

However, the research highlights broader concerns about secure development practices in enterprise software, where internal service accounts often retain weak default credentials that administrators are explicitly warned not to modify.

Organizations running Sitecore Experience Platform should immediately verify their installation versions and apply available security updates.

Live Credential Theft Attack Unmask & Instant Defense – Free Webinar

The post Critical Sitecore CMS Platform Vulnerabilities Let Attackers Gain Full Control of Deployments appeared first on Cyber Security News.