CVE-2025-53694: 
Sitecore Experience Platform (XP) vulnerability analysis and mitigation

An Information Disclosure vulnerability (CVE-2025-53694) was discovered in Sitecore Experience Manager (XM) and Sitecore Experience Platform (XP) versions 9.2 through 10.4. The vulnerability allows unauthorized actors to access sensitive information through the ItemService API. This vulnerability was discovered in August 2025 and publicly disclosed on September 3, 2025, with a CVSS v3.1 base score of 7.5 (HIGH) (NVD, Hacker News).

The vulnerability exists in the ItemService API functionality of Sitecore platforms. When exposed, the API allows unauthenticated users to enumerate HTML cache keys stored in the Sitecore cache. The vulnerability is particularly severe as it requires no authentication (CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The issue can be triggered through specific HTTP requests to the ItemService API endpoint, allowing attackers to gather sensitive information about the system's configuration and cached content (WatchTowr Labs).

The vulnerability enables attackers to access sensitive information without authentication. This information disclosure can be particularly dangerous as it exposes cache keys and system configuration details that could be leveraged in further attacks. The high confidentiality impact (C:H) in the CVSS score reflects the severity of the exposed information (NVD, WatchTowr Labs).

Patches for this vulnerability were released by Sitecore in July 2025. Organizations running affected versions of Sitecore Experience Manager (XM) or Sitecore Experience Platform (XP) should immediately update to the patched versions. If immediate patching is not possible, organizations should ensure the ItemService API is not exposed to untrusted networks (WatchTowr Labs).