CVE-2025-53691: 
Sitecore Experience Platform (XP) vulnerability analysis and mitigation

CVE-2025-53691 is a Deserialization of Untrusted Data vulnerability discovered in Sitecore Experience Manager (XM) and Sitecore Experience Platform (XP). The vulnerability affects Experience Manager (XM) versions 9.0 through 9.3 and 10.0 through 10.4, as well as Experience Platform (XP) versions 9.0 through 9.3 and 10.0 through 10.4. The vulnerability was disclosed on September 3, 2025, and patches were released in June 2025 (Hacker News, NVD).

The vulnerability is classified as a Remote Code Execution (RCE) through insecure deserialization issue. It received a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is tracked under CWE-502 (Deserialization of Untrusted Data) (NVD).

If successfully exploited, the vulnerability allows attackers to achieve remote code execution on affected systems. The vulnerability can be chained with other flaws, specifically a pre-auth HTML cache poisoning vulnerability, to compromise fully-patched Sitecore Experience Platform instances (Hacker News).

Sitecore has released patches for this vulnerability in June 2025. Organizations running affected versions of Sitecore Experience Manager (XM) or Sitecore Experience Platform (XP) should apply the available security updates immediately (Hacker News).

The vulnerability was discovered and reported by watchTowr Labs researcher Piotr Bazydlo, who demonstrated how the vulnerability could be chained with other flaws to achieve remote code execution. The researcher noted, 'We managed to abuse a very restricted reflection path to call a method that lets us poison any HTML cache key' (Hacker News).