Platform
dotnet
Component
sitecore-experience-manager
Fixed in
9.3.1
10.4.1
9.3.1
10.4.1
9.3.1
10.4.1
CVE-2025-34510 represents a Remote Code Execution (RCE) vulnerability impacting Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC). This Zip Slip vulnerability allows authenticated attackers to execute arbitrary code on affected systems by exploiting improper handling of ZIP archive paths during file uploads. The vulnerability affects versions 9.0 through 10.4, and a patch is available to address the issue.
The impact of CVE-2025-34510 is significant due to its RCE nature. A successful exploit allows an attacker, with authenticated access, to upload a malicious ZIP archive containing path traversal sequences. This enables the attacker to write arbitrary files to the server, potentially overwriting critical system files or injecting malicious code. The attacker could then execute this code, gaining complete control over the affected Sitecore instance. This could lead to data breaches, system compromise, and denial of service. The potential blast radius extends to any data processed or stored within the Sitecore environment, including sensitive customer information and business-critical assets.
CVE-2025-34510 was publicly disclosed on 2025-06-17. The vulnerability's severity is rated HIGH with a CVSS score of 8.8. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation associated with Zip Slip vulnerabilities. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting Sitecore installations. This CVE has been added to the CISA KEV catalog, indicating a heightened risk of exploitation.
Exploit Status
EPSS
87.27% (99% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-34510 is to upgrade to a patched version of Sitecore Experience Manager, XP, or XC. Sitecore has released updates to address this vulnerability. If immediate patching is not feasible, consider implementing temporary workarounds such as restricting file upload functionality, validating ZIP archive contents rigorously before processing, and implementing stricter access controls to limit authenticated user privileges. Web Application Firewalls (WAFs) can be configured to detect and block malicious ZIP uploads containing path traversal sequences. After upgrading, confirm the fix by attempting to upload a ZIP archive containing a path traversal sequence and verifying that the upload fails with an appropriate error message.
Actualice Sitecore Experience Manager a una versión posterior a la 10.4 que haya solucionado la vulnerabilidad Zip Slip. Consulte el artículo de la base de conocimientos de Sitecore (KB1003667) para obtener más detalles e instrucciones específicas de actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-34510 is a Remote Code Execution (RCE) vulnerability in Sitecore Experience Manager (XM), XP, and XC versions 9.0–10.4. It allows authenticated attackers to execute arbitrary code via a Zip Slip vulnerability.
If you are using Sitecore Experience Manager, XP, or XC versions 9.0 through 10.4, you are potentially affected by this vulnerability. Assess your environment and upgrade as soon as possible.
The recommended fix is to upgrade to a patched version of Sitecore Experience Manager, XP, or XC. Refer to the official Sitecore advisory for details on available patches.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation. Monitor security advisories and threat intelligence feeds.
Refer to the official Sitecore security advisory for detailed information and mitigation guidance: [https://www.sitecore.com/security/advisories](https://www.sitecore.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your packages.lock.json file and we'll tell you instantly if you're affected.