Cyber Resilience

CVE-2019-9874

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 31 May 2019

Published
31 May 2019
Modified
07 November 2025
KEV Added
26 March 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8763 99.5th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-9874 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Sitecore Cms. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a deserialization of untrusted data flaw (CWE-502) in the Sitecore.Security.AntiCSRF module, also known as the anti-CSRF module. It affects Sitecore CMS versions 7.0 through 7.2 and Sitecore XP versions 7.5 through 8.2, with a CVSS v3.1 base score of 9.8.

An unauthenticated remote attacker can exploit the issue by submitting a crafted serialized .NET object via the HTTP POST parameter __CSRFTOKEN, resulting in arbitrary code execution on the affected server.

Sitecore has published updates through its download portal, and a detailed advisory from Synacktiv outlines the technical root cause along with recommended remediation steps.

EU & UK References

Vulnerability details

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP…

more

POST parameter __CSRFTOKEN.

CWE(s)
KEV Date Added
26 March 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sitecore
cms
7.0 — 7.2
sitecore
experience platform
7.5 — 8.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted HTTP input (__CSRFTOKEN) before .NET deserialization, blocking the arbitrary-code path.

prevent

Mandates prompt application of vendor patches that eliminate the unsafe deserialization routine in Sitecore.Security.AntiCSRF.

detect

Requires integrity verification of software and data, enabling detection of unauthorized code introduced via the deserialization exploit.

References