The vulnerabilities, CVE-2019-9874 and CVE-2019-9875, both affect the Sitecore.Security.AntiCSRF module could allow attackers to execute arbitrary code on vulnerable systems. CVE-2019-9874, with a CVSS score of 9.8, represents a severe security risk as it allows unauthenticated attackers to exploit a deserialization vulnerability to achieve remote code execution. Using tools like ysoserial.net, attackers can encode payloads that execute PowerShell commands to establish remote shells or deploy malware without triggering typical security alarms. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Organizations unable to immediately apply patches can implement temporary workarounds by denying access to the \Website\sitecore\shell folder on all Sitecore instances or implementing IP-based restrictions to limit access to trusted addresses. Security professionals are urged to review their Sitecore deployments immediately and take appropriate action to mitigate these actively exploited vulnerabilities. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. Sitecore released fixes shortly after the initial discovery of these vulnerabilities in 2019, but many organizations remain unpatched. She is covering various cyber security incidents happening in the Cyber Space. “Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework,” CISA advises.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 27 Mar 2025 11:30:27 +0000