The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added two critical vulnerabilities affecting Sitecore Content Management System (CMS) and Experience Platform (XP) to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities, identified as CVE-2019-9874 and CVE-2019-9875, have been actively exploited, prompting CISA to urge federal agencies to apply necessary patches by April 16, 2025, to secure their networks.
Understanding the Vulnerabilities
Both vulnerabilities reside in the Sitecore.Security.AntiCSRF module and involve deserialization issues that could allow attackers to execute arbitrary code:
– CVE-2019-9874: This vulnerability carries a CVSS score of 9.8, indicating its critical severity. It allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter `__CSRFTOKEN`.
– CVE-2019-9875: With a CVSS score of 8.8, this flaw enables an authenticated attacker to execute arbitrary code through the same method—sending a serialized .NET object in the `__CSRFTOKEN` parameter.
Sitecore acknowledged active exploitation of CVE-2019-9874 in an update shared on March 30, 2020. However, there has been no mention of CVE-2019-9875 being exploited.
Implications of Active Exploitation
The active exploitation of these vulnerabilities poses significant risks to organizations using affected versions of Sitecore CMS and XP. Attackers can leverage these flaws to gain unauthorized access, execute arbitrary code, and potentially compromise sensitive data. The inclusion of these vulnerabilities in CISA’s KEV catalog underscores the urgency for organizations to address these issues promptly.
Recommended Actions
To mitigate the risks associated with these vulnerabilities, organizations should take the following steps:
1. Apply Patches Promptly: Ensure that all Sitecore installations are updated with the latest security patches provided by the vendor.
2. Review Access Controls: Evaluate and strengthen access controls to limit the potential impact of exploitation.
3. Monitor Systems: Implement continuous monitoring to detect any unusual activity that may indicate exploitation attempts.
4. Educate Staff: Provide training to relevant personnel on recognizing and responding to potential security incidents.
Broader Context of Exploitation
The exploitation of these Sitecore vulnerabilities is part of a larger trend of attackers targeting known flaws in widely used software. For instance, Akamai has observed initial exploit attempts against a newly disclosed security flaw in the Next.js web framework (CVE‑2025‑29927), which has a CVSS score of 9.1. This authorization bypass vulnerability could allow attackers to circumvent middleware-based security checks by spoofing specific headers, potentially granting unauthorized access to sensitive application resources.
Additionally, GreyNoise has reported active exploitation attempts against several known vulnerabilities in DrayTek devices, including:
– CVE-2020-8515: An operating system command injection vulnerability in multiple DrayTek router models, allowing remote code execution as root via shell metacharacters.
– CVE-2021-20123 and CVE-2021-20124: Local file inclusion vulnerabilities in DrayTek VigorConnect, enabling unauthenticated attackers to download arbitrary files from the underlying operating system with root privileges.
These incidents highlight the critical importance of timely vulnerability management and the need for organizations to stay vigilant against emerging threats.
Conclusion
The active exploitation of six-year-old vulnerabilities in Sitecore CMS and XP serves as a stark reminder of the persistent risks associated with unpatched software. Organizations must prioritize the identification and remediation of known vulnerabilities to protect their systems and data from potential attacks. By staying informed and proactive, organizations can enhance their security posture and mitigate the risks posed by both old and new vulnerabilities.
