{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-34138", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2025-04-15T19:15:22.562Z", "datePublished": "2025-07-25T15:54:47.306Z", "dateUpdated": "2025-07-25T18:16:54.406Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Experience Manager (XM)", "vendor": "Sitecore", "versions": [{"lessThanOrEqual": "10.4 Initial Release", "status": "affected", "version": "9.2 Initial Release", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Experience Platform (XP)", "vendor": "Sitecore", "versions": [{"lessThanOrEqual": "10.4 Initial Release", "status": "affected", "version": "9.2 Initial Release", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Experience Commerce (XC)", "vendor": "Sitecore", "versions": [{"lessThanOrEqual": "10.4 Initial Release", "status": "affected", "version": "9.2 Initial Release", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Managed Cloud", "vendor": "Sitecore", "versions": [{"lessThanOrEqual": "10.4 Initial Release", "status": "affected", "version": "9.2 Initial Release", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Sitecore"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability exists in Sitecore&nbsp;<span style=\"background-color: rgb(254, 254, 254);\">Experience Manager (XM),&nbsp;<span style=\"background-color: rgb(254, 254, 254);\">Experience Platform (XP),&nbsp;<span style=\"background-color: rgb(254, 254, 254);\">Experience Commerce (XC), and&nbsp;<span style=\"background-color: rgb(254, 254, 254);\">Managed Cloud that could allow remote code execution or&nbsp;<span style=\"background-color: rgb(254, 254, 254);\">unauthorized access to information.</span><span style=\"background-color: rgb(254, 254, 254);\">&nbsp;<span style=\"background-color: rgb(254, 254, 254);\"><span style=\"background-color: rgb(254, 254, 254);\"><span style=\"background-color: rgb(254, 254, 254);\">This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 9.2 Initial Release through 10.4 Initial Release. PaaS and containerized solutions are similarly affected.</span></span></span></span></span></span></span></span><br>"}], "value": "A vulnerability exists in Sitecore\u00a0Experience Manager (XM),\u00a0Experience Platform (XP),\u00a0Experience Commerce (XC), and\u00a0Managed Cloud that could allow remote code execution or\u00a0unauthorized access to information.\u00a0This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 9.2 Initial Release through 10.4 Initial Release. PaaS and containerized solutions are similarly affected."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-07-25T15:54:47.306Z"}, "references": [{"tags": ["vendor-advisory", "patch"], "url": "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003743"}, {"tags": ["vendor-advisory", "patch"], "url": "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003734"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/sitecore-xm-xp-xc-managed-cloud-rce"}], "source": {"discovery": "UNKNOWN"}, "title": "Sitecore XM/XP/XC and Managed Cloud 9.2 - 10.4 RCE", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-25T18:16:39.786159Z", "id": "CVE-2025-34138", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-25T18:16:54.406Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-34138", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-25T18:16:39.786159Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-25T18:16:51.431Z"}}], "cna": {"title": "Sitecore XM/XP/XC and Managed Cloud 9.2 - 10.4 RCE", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Sitecore"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Sitecore", "product": "Experience Manager (XM)", "versions": [{"status": "affected", "version": "9.2 Initial Release", "versionType": "custom", "lessThanOrEqual": "10.4 Initial Release"}], "defaultStatus": "unaffected"}, {"vendor": "Sitecore", "product": "Experience Platform (XP)", "versions": [{"status": "affected", "version": "9.2 Initial Release", "versionType": "custom", "lessThanOrEqual": "10.4 Initial Release"}], "defaultStatus": "unaffected"}, {"vendor": "Sitecore", "product": "Experience Commerce (XC)", "versions": [{"status": "affected", "version": "9.2 Initial Release", "versionType": "custom", "lessThanOrEqual": "10.4 Initial Release"}], "defaultStatus": "unaffected"}, {"vendor": "Sitecore", "product": "Managed Cloud", "versions": [{"status": "affected", "version": "9.2 Initial Release", "versionType": "custom", "lessThanOrEqual": "10.4 Initial Release"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003743", "tags": ["vendor-advisory", "patch"]}, {"url": "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003734", "tags": ["vendor-advisory", "patch"]}, {"url": "https://www.vulncheck.com/advisories/sitecore-xm-xp-xc-managed-cloud-rce", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A vulnerability exists in Sitecore\u00a0Experience Manager (XM),\u00a0Experience Platform (XP),\u00a0Experience Commerce (XC), and\u00a0Managed Cloud that could allow remote code execution or\u00a0unauthorized access to information.\u00a0This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 9.2 Initial Release through 10.4 Initial Release. PaaS and containerized solutions are similarly affected.", "supportingMedia": [{"type": "text/html", "value": "A vulnerability exists in Sitecore&nbsp;<span style=\"background-color: rgb(254, 254, 254);\">Experience Manager (XM),&nbsp;<span style=\"background-color: rgb(254, 254, 254);\">Experience Platform (XP),&nbsp;<span style=\"background-color: rgb(254, 254, 254);\">Experience Commerce (XC), and&nbsp;<span style=\"background-color: rgb(254, 254, 254);\">Managed Cloud that could allow remote code execution or&nbsp;<span style=\"background-color: rgb(254, 254, 254);\">unauthorized access to information.</span><span style=\"background-color: rgb(254, 254, 254);\">&nbsp;<span style=\"background-color: rgb(254, 254, 254);\"><span style=\"background-color: rgb(254, 254, 254);\"><span style=\"background-color: rgb(254, 254, 254);\">This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 9.2 Initial Release through 10.4 Initial Release. PaaS and containerized solutions are similarly affected.</span></span></span></span></span></span></span></span><br>", "base64": false}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-07-25T15:54:47.306Z"}}}, "cveMetadata": {"cveId": "CVE-2025-34138", "state": "PUBLISHED", "dateUpdated": "2025-07-25T18:16:54.406Z", "dateReserved": "2025-04-15T19:15:22.562Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2025-07-25T15:54:47.306Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability exists in Sitecore\u00a0Experience Manager (XM),\u00a0Experience Platform (XP),\u00a0Experience Commerce (XC), and\u00a0Managed Cloud that could allow remote code execution or\u00a0unauthorized access to information.\u00a0This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 9.2 Initial Release through 10.4 Initial Release. PaaS and containerized solutions are similarly affected."}, {"lang": "es", "value": "Existe una vulnerabilidad en Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC) y Managed Cloud que podr\u00eda permitir la ejecuci\u00f3n remota de c\u00f3digo o el acceso no autorizado a la informaci\u00f3n. Esta vulnerabilidad afecta a todas las topolog\u00edas de Experience Platform (XM, XP, XC) desde la versi\u00f3n inicial 9.2 hasta la versi\u00f3n inicial 10.4. Las soluciones PaaS y en contenedores se ven afectadas de forma similar."}], "id": "CVE-2025-34138", "lastModified": "2025-07-29T14:14:55.157", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2025-07-25T16:15:28.790", "references": [{"source": "disclosure@vulncheck.com", "url": "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003734"}, {"source": "disclosure@vulncheck.com", "url": "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003743"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/sitecore-xm-xp-xc-managed-cloud-rce"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}