CVE-2021-42237: 
Sitecore Experience Platform (XP) vulnerability analysis and mitigation

Sitecore Experience Platform (XP) versions 7.5 Initial Release to 8.2 Update-7 were found to contain a critical vulnerability (CVE-2021-42237) that allows for remote command execution through insecure deserialization. The vulnerability was discovered by Assetnote's security research team and disclosed in November 2021. This pre-authentication vulnerability requires no special configuration to exploit, making it particularly dangerous (Assetnote Blog).

The vulnerability exists in the /sitecore/shell/ClientBin/Reporting/Report.ashx endpoint, which processes XML input without requiring authentication. The issue stems from unsafe deserialization using NetDataContractSerializer in the DeserializeParameters function. An attacker can craft malicious XML payloads that trigger remote code execution through the deserialization process. The vulnerability received a CVSS v3.1 base score of 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows attackers to execute arbitrary commands on the host machine running Sitecore. Since Sitecore is typically hosted on Windows and often connected to Windows domains, this vulnerability could serve as an entry point into internal networks. This poses a significant risk to enterprise environments where Sitecore is widely used, including many Fortune 500 companies (Assetnote Blog).

For Sitecore XP 7.5.0 - 7.5.2, organizations should either upgrade to Sitecore XP 9.0.0 or higher, or remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx. For versions 8.0.0 - 8.2.7, removing the Report.ashx file is sufficient as it is no longer used and can be safely removed. These mitigations were outlined in Sitecore's official advisory (Assetnote Blog).