CVE-2021-42237
CVE-2021-42237
In short
Sitecore XP versions 7.5 through 8.2 Update-7 have a critical flaw that allows attackers to run commands on the server without logging in. The vulnerability is in how the software handles data deserialization, which can be exploited by sending specially crafted requests over the network.
Technical detail
The vulnerability exists in Sitecore XP's insecure deserialization mechanism (CWE-502), allowing unauthenticated remote attackers to execute arbitrary code on the affected server. The attack vector is network-based with no pre-conditions or authentication required; successful exploitation results in complete remote code execution with server privileges.
Summary generated and translated by AI from the official description.
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 3
githubgithub.com/vesperp/CVE-2021-42237-SiteCore-XP★ 1githubgithub.com/crankyyash/SiteCore-RCE-Detection★ 0cve_referencepacketstormsecurity.com/files/164988/Sitecore-Experience-Platform-XP-Remote-Code-Execution.htmlunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/164988/Sitecore-Experience-Platform-XP-Remote-Code-Execution.htmlhttps://blog.assetnote.io/2021/11/02/sitecore-rce/http://sitecore.comhttps://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-42237