A critical vulnerability chain in Sitecore Experience Platform (XP) allows attackers to gain full server control starting with a hardcoded password (‘b’) for the default ServicesAPI account. This exploit chain, now cataloged by CISA as actively exploited, affects versions 10.1 through 10.4 of the enterprise CMS platform used by banks, airlines, and government agencies1.
Executive Summary
The attack begins with authentication bypass using the hardcoded credentials, followed by one of two post-authentication remote code execution (RCE) paths. Security researchers at watchTowr Labs demonstrated how this combination could compromise a Sitecore server in under five minutes3. Sitecore has released patches in version 10.4.1, but many systems remain vulnerable due to the platform’s widespread enterprise use.
- Initial Vector: Hardcoded password ‘b’ for sitecore\ServicesAPI account (CVE-2025-XXXXX)
- Exploit Paths: ZIP slip via Upload2.aspx or direct file upload via PowerShell endpoint
- Impact: Full server compromise with IIS privileges
- Affected Versions: Sitecore XP 10.1-10.4 (fresh installations)
- Mitigation: Upgrade to 10.4.1+, rotate all default credentials, restrict admin endpoints
Technical Breakdown
The exploit chain begins with the hardcoded credentials vulnerability, where the ServicesAPI account’s password was set to the single character ‘b’ in default installations. This account has administrative privileges and can be accessed through either the /sitecore/admin interface or the /sitecore/api/ssc/auth/login API endpoint2.
Once authenticated, attackers can choose between two RCE methods. The first involves exploiting a path traversal vulnerability in the ZIP file upload functionality at /sitecore/shell/Applications/Dialogs/Upload/Upload2.aspx. By crafting a malicious ZIP with directory traversal sequences (e.g., /\\../webshell.aspx), attackers can write arbitrary files to the webroot4.
The second method leverages an unrestricted file upload endpoint at /sitecore%20modules/Shell/PowerShell/UploadFile/PowerShellUploadFile2.aspx. This allows direct upload of ASPX webshells without requiring ZIP archive manipulation. Both methods result in RCE with the privileges of the IIS application pool identity5.
Detection and Mitigation
Organizations should immediately audit their Sitecore installations for the following indicators:
| Detection Method | Action |
|---|---|
| Check for existence of sitecore\ServicesAPI account | Disable or change password if found |
| Review IIS logs for access to /sitecore/admin or /sitecore/api/ssc/auth/login | Block external access to these endpoints |
| Monitor for unexpected file uploads to Upload2.aspx or PowerShellUploadFile2.aspx | Restrict upload functionality to authenticated, authorized users only |
Sitecore’s official guidance recommends upgrading to version 10.4.1 or later, which removes the hardcoded credentials and implements proper file upload validation1. For systems that cannot be immediately patched, implementing web application firewall rules to block suspicious upload patterns and restricting network access to administrative interfaces can reduce risk.
Historical Context and Industry Response
This isn’t Sitecore’s first authentication-related security issue. In 2024, researchers disclosed an order of operations bug (CVE-2024-46938) that allowed local file disclosure through the /-/speak/v1/bundles/bundle.js endpoint6. The current vulnerability chain represents a more severe threat due to its pre-authentication component and straightforward exploitation path.
“By default, recent Sitecore versions shipped with a user that had a hardcoded password of ‘b’. It’s 2025, and we can’t believe we still have to say this, but that’s very bad.”
— Benjamin Harris, CEO of watchTowr3
CISA added these vulnerabilities to its Known Exploited Vulnerabilities Catalog in March 2025, requiring federal agencies to patch affected systems by April 20255. Private sector organizations, particularly in finance and healthcare, should treat this with equal urgency given the platform’s enterprise footprint.
Conclusion
The Sitecore XP vulnerability chain demonstrates how seemingly minor security oversights (hardcoded credentials) can combine with other weaknesses (insecure file uploads) to create critical risks. Organizations using Sitecore should prioritize patching and credential rotation, while security teams should monitor for exploitation attempts. The availability of public proof-of-concepts increases the likelihood of widespread attacks in the coming weeks.
References
- “Hard-Coded ‘b’ Password in Sitecore XP Lets Attackers Hijack CMS Servers”, The Hacker News, 2025.
- “Sitecore CMS exploit chain starts with hardcoded ‘b’ password”, BleepingComputer, 2025.
- “Is ‘b’ for Backdoor? Pre-Auth RCE Chain in Sitecore Experience Platform”, watchTowr Labs, 2025.
- “Critical Vulnerabilities in Sitecore”, GBHackers, 2025.
- “U.S. CISA adds Sitecore CMS and XP and GitHub Action flaws to its Known Exploited Vulnerabilities Catalog”, Security Affairs, 2025.
- “Leveraging an Order of Operations Bug to Achieve RCE in Sitecore 8.x – 10.x”, Assetnote, 2024.
