What is CVE-2025-34509?

CVE-2025-34509 is a high-severity vulnerability in Sitecore Experience Manager, classified under Use of Hard-coded Credentials. CVSS score: 7.5/10. Published 2025-06-17.

How severe is CVE-2025-34509?

High severity. CVSS v3 base score is 7.5 out of 10.

Is CVE-2025-34509 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Sitecore Experience Manager

CVE-2025-34509

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticat…

EPSS: 0.169 (95.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Affected products

Sitecore Experience Manager — versions 10.4, 10.3, 10.1
Sitecore Experience Platform — versions 10.4, 10.3, 10.1

Weakness classification (CWE)

CWE-798 — Use of Hard-coded Credentials

Public proof-of-concept exploits

References

labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-… (third-party-advisory, exploit, technical-description)
support.sitecore.com/kb (vendor-advisory)

Frequently asked questions

What is CVE-2025-34509?: CVE-2025-34509 is a high-severity vulnerability in Sitecore Experience Manager, classified under Use of Hard-coded Credentials. CVSS score: 7.5/10. Published 2025-06-17.
How severe is CVE-2025-34509?: High severity. CVSS v3 base score is 7.5 out of 10.
Is CVE-2025-34509 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.