Sitecore published Security Bulletin SC2025-003 on June 16, 2025 to address three critical vulnerabilities in Experience Manager (XM) 9.0–10.4, Experience Platform (XP) 10.1–10.4, Experience Commerce (XC) 10.1–10.4, and any Managed Cloud deployments running those versions. Successful exploitation could lead to unauthenticated remote code execution or data disclosure.
All affected customers must immediately install the appropriate hotfix:
-
XM/XP/XC 9.0–9.3: Unpack and apply Sitecore.Support.9.0-9.3.zip according to its Readme.
-
XP/XC 10.0–10.4: Unpack and apply Sitecore.Support.10.0-10.4.zip according to its Readme.
These patches remediate three CVEs disclosed by watchTowr on June 17, 2025:
-
CVE-2025-34509 (WT-2025-0024): hardcoded “b” password in the internal
sitecore\ServicesAPIaccount, allowing alternate-path authentication and valid.AspNet.Cookiessessions. -
CVE-2025-34510 (WT-2025-0032): Zip Slip in the Upload Wizard, enabling arbitrary file writes into the webroot.
-
CVE-2025-34511 (WT-2025-0025): post-auth RCE via the Sitecore PowerShell Extensions module.
Note that XM Cloud, Content Hub, CDP/Personalize, OrderCloud, Storefront, Moosend, Send, Discover, Search, and Commerce Server are not impacted. Until cumulative pre-releases include these fixes, manual hotfix installation is required—even on new Azure Marketplace or PaaS deployments.