Threats / Sitecore / CVE-2019-9874
CVE-2019-9874
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Sitecore CMS and Experience Platform (XP) vulnerability
Sitecore CMS and Experience Platform contain an unsafe deserialization vulnerability in the anti-CSRF module allowing unauthenticated remote code execution via malicious serialized objects.
Verdict
Today item — known-exploited.
An unauthenticated attacker can exploit unsafe .NET deserialization in the Sitecore.Security.AntiCSRF module by crafting a malicious serialized object in the __CSRFTOKEN parameter to achieve arbitrary code execution on the server.
01
Is it exploitable?
— the evidence, ranked above the scoreReported exploitation
78 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2025-03-26).
Probability (EPSS)
EPSS 0.83857 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Sitecore, CMS and Experience Platform (XP). Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-502 Deserialization of Untrusted Data — weakness family: Injection.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I craft a malicious serialized .NET object and send it as the __CSRFTOKEN parameter in an HTTP POST request to a Sitecore instance.
Business
The organization's web application becomes a direct target for remote code execution without requiring authentication or user interaction.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
The vulnerable deserialization handler processes my object without validation, triggering gadget chains that execute arbitrary code in the application context.
Business
Attackers gain full control over the application server and can access sensitive data, modify content, or pivot to internal systems.
3
Lateral reach — past segmentation narrative 3
Attacker
I establish persistence and move laterally through the infrastructure to compromise additional systems and data stores.
Business
The breach expands beyond the web application to critical business systems, resulting in data theft, operational disruption, and regulatory exposure.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05