CVE-2025-53694: 
Sitecore Experience Platform (XP) vulnerability analysis and mitigation

A sensitive information disclosure vulnerability (CVE-2025-53694) was identified in Sitecore Experience Manager (XM) and Sitecore Experience Platform (XP) versions 9.2 through 10.4. The vulnerability was discovered in August 2025 and publicly disclosed on September 3, 2025. This vulnerability allows unauthorized actors to access sensitive information through the ItemService API (Hacker News, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed. The vulnerability specifically affects the ItemService API, which when exposed, allows attackers to enumerate HTML cache keys stored in the Sitecore cache (Watchtowr Labs).

The vulnerability enables unauthorized access to sensitive information through the ItemService API. When exploited, attackers can enumerate and access HTML cache keys stored in the Sitecore cache, potentially leading to information disclosure. This vulnerability can be particularly impactful when chained with other vulnerabilities for more severe attacks (Watchtowr Labs).

Sitecore has released patches for this vulnerability in July 2025. Organizations running affected versions of Sitecore Experience Manager (XM) and Experience Platform (XP) from versions 9.2 through 10.4 should apply the available security updates. Additionally, organizations should ensure that the ItemService API is not exposed to the internet unless absolutely necessary (Watchtowr Labs).