- The Sitecore CMS had an account with a hardcoded password
- Threat actors could use it to upload arbitrary files, achieving RCE
- Thousands of endpoints are potentially at risk
Sitecore Experience Platform, an enterprise-level content management system (CMS) carried three vulnerabilities which, when chained together, allowed threat actors full takeover of vulnerable servers, experts have warned.
Cybersecurity researchers watchTowr found the first flaw is a hardcoded password for an internal user – just one letter – ‘b’ – making it super easy to guess.
The account does not have admin privileges, but watchTowr found malicious users could authenticate via an alternate login path, which would give them authenticated access to internal endpoints.
Patching the flaws
This sets the stage for the exploitation of the second flaw, described as a “Zip Slip” in the Sitecore Upload Wizard.
In a nutshell, the now-authenticated attackers can upload malicious files due to insufficient path sanitation, and the way Sitecore maps paths. As a result, they can write arbitrary files in the webroot.
These two issues alone could be enough to cause some serious damage on the compromised server, but the problems don’t stop there.
If the website has the Sitecore PowerShell Extensions (SPE) module installed, which is commonly bundled with SXA, attackers can upload arbitrary files to specific paths, bypassing extension or location restrictions and resulting in a “reliable RCE”.
All Sitecore versions from 10.1 to 10.4 are apparently vulnerable, which translates to roughly 22,000 publicly exposed instances, at press time – but just because they’re all accessible and running these versions, it doesn’t necessarily mean they’re all vulnerable.
“Sitecore is deployed across thousands of environments, including banks, airlines, and global enterprises — so the blast radius here is massive,” watchTowr CEO Benjamin Harris told BleepingComputer.
“And no, this isn’t theoretical: we’ve run the full chain, end-to-end. If you’re running Sitecore, it doesn’t get worse than this – rotate creds and patch immediately before attackers inevitably reverse engineer the fix.”
So far there were no reports of abuse in the wild, but a patch is available now, so users should update as soon as possible.
