The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added two six-year-old safety flaws impacting Sitecore CMS and Expertise Platform (XP) to its Identified Exploited Vulnerabilities (KEV) catalog, based mostly on proof of lively exploitation.
The vulnerabilities are listed under –
- CVE-2019-9874 (CVSS rating: 9.8) – A deserialization vulnerability within the Sitecore.Safety.AntiCSRF module that permits an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object within the HTTP POST parameter __CSRFTOKEN
- CVE-2019-9875 (CVSS rating: 8.8) – A deserialization vulnerability within the Sitecore.Safety.AntiCSRF module that permits an authenticated attacker to execute arbitrary code by sending a serialized .NET object within the HTTP POST parameter __CSRFTOKEN
There are at the moment no particulars on how the issues are being weaponized within the wild and by whom, though SiteCore in an replace shared on March 30, 2020, mentioned it grew to become “conscious of lively exploitation” of CVE-2019-9874. The corporate makes no point out of CVE-2019-9875 being exploited.
In gentle of lively exploitation, federal companies are required to use the mandatory patches by April 16, 2025, to safe their networks.
The event comes as Akamai mentioned it has noticed preliminary exploit makes an attempt probing potential servers for a newly disclosed safety flaw impacting the Subsequent.js internet framework (CVE‑2025‑29927, CVSS rating: 9.1).
An authorization bypass vulnerability, a profitable exploitation might allow an attacker to get round middleware-based safety checks by spoofing a header known as “x‑middleware‑subrequest” that is used to handle inner request flows. This, in flip, might allow unauthorized entry to delicate software assets, Checkmarx’s Raphael Silva mentioned.
“Among the many recognized payloads, one notable method includes utilizing the x-middleware-request header with the worth src/middleware:src/middleware:src/middleware:src/middleware:src/middleware,” the online infrastructure firm mentioned.
“This strategy simulates a number of inner subrequests inside a single request, triggering Subsequent.js’s inner redirect logic — carefully resembling a number of publicly accessible proof-of-concept exploits.”
The disclosures additionally comply with a warning from GreyNoise about lively exploitation makes an attempt recorded in opposition to a number of recognized vulnerabilities in DrayTek units.
The menace intelligence agency mentioned it has seen noticed in-the-wild exercise in opposition to the under CVE identifiers –
- CVE-2020-8515 (CVSS rating: 9.8) — An working system command injection vulnerability in a number of DrayTek router fashions that would enable distant code execution as root through shell metacharacters to the cgi-bin/mainfunction.cgi URI
- CVE-2021-20123 (CVSS rating: 7.5) — An area file inclusion vulnerability in DrayTek VigorConnect that would enable an unauthenticated attacker to obtain arbitrary recordsdata from the underlying working system with root privileges through the DownloadFileServlet endpoint
- CVE-2021-20124 (CVSS rating: 7.5) — An area file inclusion vulnerability in DrayTek VigorConnect that would enable an unauthenticated attacker to obtain arbitrary recordsdata from the underlying working system with root privileges through the WebServlet endpoint
Indonesia, Hong Kong, and the USA have emerged as the highest vacation spot international locations of the assault visitors for CVE-2020-8515, whereas Lithuania, the USA, and Singapore have been singled out as a part of assaults exploiting CVE-2021-20123 and CVE-2021-20124.