CVE-2025-34509
HIGHCVSS v3
7.5
HIGH
EPSS Score
18.1%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
Technical Details
- CVSS v3 Vector
- 3.1
- Published
- 6/17/2025
- Last Modified
- 12/27/2025
Frequently Asked Questions
What is CVE-2025-34509?
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
Is CVE-2025-34509 actively exploited?
Active exploitation of CVE-2025-34509 has not been confirmed. The EPSS score is 18.1%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2025-34509?
CVE-2025-34509 has a CVSS v3 base score of 7.5 (HIGH severity), with vector string 3.1.
Is CVE-2025-34509 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.