CVE-2025-53691

high-risk

Published 2025-09-03

Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).This issue affects Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.

Do I need to act?

5.0% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (5)

Experience Commerce

Experience Manager

Experience Platform

Managed Cloud

Affected Vendors

Sitecore

References (2)

Exploit https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cach...

Vendor Advisory https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667

/ 100

high-risk

Severity 30/34 · Critical

Exploitability 8/34 · Low

Exposure 12/34 · Low