Vulnerability Details CVE-2025-34509
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 25.3%
CVSS Severity
CVSS v3 Score 8.2
References
Products affected by CVE-2025-34509
-
cpe:2.3:a:sitecore:experience_commerce:10.0
-
cpe:2.3:a:sitecore:experience_commerce:10.1
-
cpe:2.3:a:sitecore:experience_commerce:10.2
-
cpe:2.3:a:sitecore:experience_commerce:10.3
-
cpe:2.3:a:sitecore:experience_commerce:10.4
-
cpe:2.3:a:sitecore:experience_commerce:9.0
-
cpe:2.3:a:sitecore:experience_commerce:9.1
-
cpe:2.3:a:sitecore:experience_manager:10.1
-
cpe:2.3:a:sitecore:experience_manager:10.2
-
cpe:2.3:a:sitecore:experience_manager:10.3
-
cpe:2.3:a:sitecore:experience_manager:10.4
-
cpe:2.3:a:sitecore:experience_manager:9.0
-
cpe:2.3:a:sitecore:experience_manager:9.1
-
cpe:2.3:a:sitecore:experience_manager:9.2
-
cpe:2.3:a:sitecore:experience_manager:9.3
-
cpe:2.3:a:sitecore:experience_platform:10.0
-
cpe:2.3:a:sitecore:experience_platform:10.1
-
cpe:2.3:a:sitecore:experience_platform:10.2
-
cpe:2.3:a:sitecore:experience_platform:10.3
-
cpe:2.3:a:sitecore:experience_platform:10.4
-
cpe:2.3:a:sitecore:experience_platform:9.0
-
cpe:2.3:a:sitecore:experience_platform:9.1
-
cpe:2.3:a:sitecore:experience_platform:9.1.1
-
cpe:2.3:a:sitecore:experience_platform:9.2
-
cpe:2.3:a:sitecore:experience_platform:9.3
-
cpe:2.3:a:sitecore:managed_cloud:-