CISA Flags Active Exploits in Sitecore CMS: CVE-2019-9874 and CVE-2019-9875, PoC Publishes
do son 
Two critical vulnerabilities in Sitecore’s anti-CSRF module have re-emerged as active threats, with proof-of-concept exploits in circulation and real-world abuse prompting urgent action from federal agencies and security professionals worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added CVE-2019-9874 and CVE-2019-9875 to its Known Exploited Vulnerabilities (KEV) Catalog, citing confirmed in-the-wild exploitation. These deserialization vulnerabilities affect the Sitecore CMS and Experience Platform (XP), widely used by enterprise websites and content-driven platforms across the globe.
CVE-2019-9874: Unauthenticated RCE via Deserialization (CVSS 9.8)
This critical flaw exists in Sitecore CMS 7.0–7.2 and XP 7.5–8.2, allowing unauthenticated attackers to execute arbitrary commands on vulnerable servers. The exploit hinges on tampering with the __CSRFTOKEN HTTP POST parameter by injecting a maliciously crafted serialized .NET object.
Discovered by Synacktiv security researchers during a routine audit, the exploit abuses a logic flaw in Sitecore’s CSRF protection mechanism. Instead of validating the token securely, Sitecore’s anti-CSRF module attempts to deserialize the provided string using .NET’s ObjectStateFormatter, without any signature or type checks. The result: full remote code execution on the server.
CVE-2019-9875: Authenticated Exploitation in Sitecore ≤ 9.1.0 (CVSS 8.8)
The second vulnerability targets authenticated users in Sitecore versions up to 9.1.0. Once logged in, a threat actor can weaponize the same deserialization vector to hijack the server.
While this requires prior access, the attack’s simplicity and the severity of its impact elevate the risk. Using tools like ysoserial.net, attackers can encode payloads that execute PowerShell commands to establish remote shells or deploy malware—without triggering typical security alarms.
Real-World Exploitation Confirmed
Synacktiv’s proof-of-concept demonstrates how a base64-encoded serialized payload, when submitted via an HTTP POST request to Sitecore’s user creation page, results in immediate code execution, even if the CSRF token validation fails. The execution occurs at the deserialization stage, long before any application logic has a chance to respond.
This vulnerability chain is especially dangerous because:
- No authentication is required for CVE-2019-9874.
- Remote shells can be obtained with minimal effort.
- Privilege escalation depends on the Sitecore AppPool identity, which can be quite permissive in misconfigured environments.
Patch Now: Federal Mandate and Vendor Fixes
CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies apply available patches no later than April 16, 2025. Sitecore had previously released hotfixes and updates to address both vulnerabilities:
- For versions prior to 9.0, a hotfix is available: Sitecore KB Article 334035
- For versions 9.0 and above, upgrading to Sitecore 9.1 Update-1 resolves the issue: Download update
