Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Sitecore Experience Platform cache poisoning, RCE, and information disclosure flaws (multiple vulnerabilities)

Vulnerability
First reported
Last updated
Happening score
H score 17
1 unique sources, 1 articles

Summary

Hide ▲

Sitecore Experience Platform gained three newly disclosed vulnerabilities, including HTML cache poisoning, insecure deserialization RCE, and an ItemService API information disclosure issue that can lead to remote code execution and non-authorized access to information. The flaws were assigned CVE-2025-53693, CVE-2025-53691, and CVE-2025-53694. Sitecore had already released patches in June and July 2025, but researchers said the issues can be chained on a fully-patched instance.

Related Happenings

ViewState deserialization attack wave (2025)

Exploitation Wave
First: 05.09.2025 01:05 Last: 05.09.2025 01:05 Sources 1

About this happening: A **2025 ViewState deserialization attack wave** is continuing to expose **ASP.NET** deployments to **remote code execution** when machine keys are leaked or improperly protected....

Open Happening

Timeline

  1. 29.08.2025 20:22 2 articles · 9mo ago

    Sitecore Experience Platform vulnerabilities expose cache poisoning, RCE, and information disclosure

    Initial Disclosure

    watchTowr Labs disclosed three new Sitecore Experience Platform vulnerabilities, CVE-2025-53693, CVE-2025-53691, and CVE-2025-53694, covering HTML cache poisoning through unsafe reflections, remote code execution through insecure deserialization, and information disclosure in the ItemService API that can expose cache keys. The researchers said the issues can be chained on a fully-patched Sitecore Experience Platform instance to enumerate cache keys, poison HTML cache entries, and reach code execution.

    Show sources
    Open in new tab