The Sitecore Experience platform discloses three new security vulnerabilities that will be utilized to enable disclosure and remote code execution.
The defects per Watchtowr Labs are listed below –
CVE-2025-53693-HTML Cache Poisoning with HTML Insecure Reflection CVE-2025-53691-Remote Code Execution (RCE).
The first two shortcoming patches were released by Sitecore in June and third in July 2025. The company says, “The success of exploitation of related vulnerabilities could lead to remote code execution and unauthorized access to information.”
The findings are based on three more defects in the same product detailed by WatchTowr in June –
CVE-2025-34509 (CVSS score: 8.2) – Using hardcoded credentials
Watchtowr Labs researcher Piotr Bazydlo said the newly discovered bug could be created in the exploit chain by combining vulnerabilities with issues with remote code execution after acceptance to compromise fully patched instances of the Sitecore Experience Platform.
Here is the sequence of events leading to code execution: If registered, threat actors can leverage the Itemservice API to easily enumerate HTML cache keys stored in the Sitecore cache and send HTTP cache addiction requests to those keys.
It can be chained on CVE-2025-53691 to provide malicious HTML code.
“We were able to abuse the highly restricted reflex path and call ways to poison HTML cache keys,” says Bazydlo. “That single primitive opened the door to hijacking Sitecore Experience platform pages. From there, I dropped any JavaScript to trigger a post-Auth RCE vulnerability.”
Source link
