A critical vulnerability has been identified in multiple Sitecore products, rated 9.8 out of 10. This flaw allows a remote attacker to manipulate the application's code, potentially leading to a complete system takeover, data theft, and service disruption. Due to the extreme severity, immediate patching is required to prevent exploitation.

This vulnerability, classified as 'Unsafe Reflection' (CWE-470), exists because the application uses externally-controlled input to dynamically select and execute code or classes without proper validation. An unauthenticated remote attacker can craft a malicious web request containing specific class names and methods. The application processes this input and, due to the lack of sanitization, executes the attacker-specified code, which could lead to remote code execution (RCE) and full control over the server. The description also notes that this can be used to perform Cache Poisoning, allowing an attacker to serve malicious content to legitimate users.

This vulnerability is of critical severity with a CVSS score of 9.8. Successful exploitation would have a severe impact on the business, granting an attacker complete control over the affected Sitecore instance. Potential consequences include theft of sensitive corporate or customer data, deployment of ransomware, website defacement, and using the compromised server to attack other systems. The cache poisoning aspect specifically risks brand reputation by potentially serving malware or phishing content to website visitors, eroding customer trust.

Immediate Action: Immediately apply the security updates provided by Sitecore to all affected instances of Sitecore Experience Manager (XM) and Sitecore Experience Platform (XP). After patching, it is crucial to review access logs and system logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Monitor web server and application logs for unusual or malformed requests, particularly those containing suspicious strings that resemble class names or serialized objects in parameters. Network traffic should be monitored for unexpected outbound connections from the Sitecore servers. Implement file integrity monitoring to detect unauthorized changes to application files.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) with rules specifically designed to block common reflection attack patterns and block requests containing known malicious payloads. Restrict access to the Sitecore management interface to trusted IP addresses only. Ensure the application is running with the lowest possible privileges to limit the impact of a potential compromise.

Public Exploit Available: false

This vulnerability poses a clear and present danger to the organization. Due to the critical 9.8 CVSS score, which indicates a high likelihood of exploitation with maximum impact, organizations must treat this as an emergency. The recommended remediation—updating all affected Sitecore products—should be prioritized and completed immediately. Although this CVE is not currently listed on the CISA KEV list, its severity makes it a prime candidate for future inclusion and widespread exploitation. Do not delay patching.