CVE-2025-34509 HIGH

CVE-2025-34509: Sitecore XM and XP Hardcoded Credentials

Vendor Sitecore
Product Experience Manager
Weakness CWE-798 · Hardcoded credentials
Published June 17, 2025
Last update February 26, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.

Key dates

02Disclosure timeline

June 17, 2025 CVE published
February 26, 2026 Record updated