CVE-2025-34509: 
Sitecore Experience Platform (XP) vulnerability analysis and mitigation

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account vulnerability identified as CVE-2025-34509. The vulnerability was discovered in February 2025 and publicly disclosed on June 17, 2025. This security flaw allows unauthenticated and remote attackers to access administrative API over HTTP using a hardcoded ServicesAPI user account with the password set to 'b' (Watchtowr Labs, Hacker News).

The vulnerability has been assigned a CVSS v3.1 base score of 8.2 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and is classified under CWE-798 (Use of Hard-coded Credentials). The issue was introduced in version 10.1 and persisted through subsequent releases. The hardcoded credentials originate from within the Sitecore installer that imports a pre-configured user database with the ServicesAPI password set to 'b'. While the ServicesAPI user has no roles assigned by default, the credentials can be used against the '/sitecore/admin' API endpoint to sign in and obtain a valid session cookie (Watchtowr Labs, Wiz).

The vulnerability enables unauthenticated remote attackers to authenticate as the ServicesAPI user and access various APIs and endpoints within the Sitecore platform. While the ServicesAPI user has no roles assigned by default, the authenticated session can bypass IIS authorization rules and access multiple aspx files stored in prohibited directories, significantly expanding the attack surface. The vulnerability affects thousands of environments, including banks, airlines, and global enterprises (Watchtowr Labs, Hacker News).

While changing the credentials might seem like an obvious solution, Sitecore's documentation explicitly warns against modifying default user accounts as it may affect other areas of the security model. Organizations should carefully assess their exposure and implement additional security controls while waiting for an official fix. Users who previously ran a version prior to 10.1 and then upgraded to a newer version are likely not impacted, assuming they migrated their old database rather than using the one embedded within the installation package. Sitecore has published a Knowledge Base article with details of patches and remediation steps (Wiz, Hacker News).

Sitecore has acknowledged the vulnerability and actively collaborated with researchers to address the issue. According to Benjamin Harris, CEO and founder of watchTowr, 'It's 2025, and we can't believe we still have to say this, but that's very bad.' Sitecore's customer support teams have proactively communicated these updates to affected clients, and all impacted SaaS products have been remediated (Hacker News).