CVE-2025-34510

high-risk

Published 2025-06-17

Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.

Do I need to act?

86.0% chance of exploitation in next 30 days

EPSS score — higher than 14% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (5)

Experience Commerce

Experience Manager

Experience Platform

Managed Cloud

Affected Vendors

Sitecore

References (2)

Exploit https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-expe...

Vendor Advisory https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667

/ 100

high-risk

Severity 30/34 · Critical

Exploitability 20/34 · Moderate

Exposure 12/34 · Low