
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities in Sitecore CMS and Experience Platform (XP) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of ongoing exploitation.
The vulnerabilities, which were first disclosed in 2019, pose a significant risk to organizations using Sitecore’s content management system.
Details of the Vulnerabilities
The newly listed flaws are:
-
CVE-2019-9874 (CVSS 9.8) – A deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows unauthenticated attackers to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter
__CSRFTOKEN
. -
CVE-2019-9875 (CVSS 8.8) – A similar deserialization flaw that allows authenticated attackers to execute arbitrary code through the same
__CSRFTOKEN
parameter.
Although details on active exploitation methods remain scarce, Sitecore previously acknowledged in a March 30, 2020 update that CVE-2019-9874 was being exploited.
However, no official confirmation has been provided regarding CVE-2019-9875.
Federal Agencies Ordered to Patch
Given the confirmed exploitation, U.S. federal agencies have been mandated to apply necessary patches by April 16, 2025, to secure their networks from potential breaches.
Organizations using Sitecore CMS should also prioritize patching these vulnerabilities to prevent exploitation.
With these vulnerabilities actively exploited, organizations must take immediate action to secure their systems.
Administrators should prioritize applying patches, reviewing security configurations, and monitoring network activity for signs of intrusion.
The surge in cyber threats highlights the need for continuous vigilance and proactive security measures to defend against evolving attack tactics.