CVE-2021-42237

critical

Description

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.

References

http://packetstormsecurity.com/files/164988/Sitecore-Experience-Platform-XP-Remote-Code-Execution.html

https://veriti.ai/blog/vulnerable-villain-when-hackers-get-hacked/

https://www.secureworks.com/research/gold-melody-profile-of-an-initial-access-broker?&web_view=true

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a

https://www.tenable.com/blog/cisa-top-20-cves-exploited-peoples-republic-of-china-state-sponsored-actors-aa22-279a

https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776

https://blog.assetnote.io/2021/11/02/sitecore-rce/

http://sitecore.com

Details

Source: Mitre, NVD

Published: 2021-11-05

Updated: 2025-04-03

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.94374