CVE-2025-53691: 
Sitecore Experience Platform (XP) vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-53691) has been identified in Sitecore Experience Manager (XM) and Experience Platform (XP) that allows remote code execution through insecure deserialization. The vulnerability affects XM versions 9.0 through 9.3 and 10.0 through 10.4, as well as XP versions 9.0 through 9.3 and 10.0 through 10.4. The flaw was discovered in June 2025 and patches were released by Sitecore in the same month (WatchTowr Labs, Hacker News).

The vulnerability exists in the BinaryFormatter.Deserialize() method within the Sitecore.Convert.Base64ToObject() function, which processes base64-encoded objects without proper validation. The exploit chain targets the ConvertToRuntimeHtml pipeline, specifically focusing on iframe elements with embedded serialized payloads. When the FixHtmlPage control processes malicious HTML containing iframe tags with id and value attributes, it triggers the vulnerable deserialization path. The vulnerability has been assigned a CVSS v3 base score of 8.8 (High), with an impact score of 5.9 and exploitability score of 2.8 (AttackerKB).

Successful exploitation of CVE-2025-53691 can lead to complete system compromise when chained with other vulnerabilities like HTML cache poisoning (CVE-2025-53693). The vulnerability affects thousands of enterprise installations worldwide, potentially exposing sensitive data and allowing attackers to execute arbitrary code on affected systems (Cybersecurity News).

Sitecore has released security patches for the vulnerability in June 2025. Organizations using affected versions of Sitecore Experience Manager (XM) and Experience Platform (XP) should immediately apply the available security updates. Additionally, organizations should review their ItemServices API exposure to prevent exploitation (Hacker News).