CVE-2019-9874
Published: 31 May 2019
Summary
CVE-2019-9874 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Sitecore Cms. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a deserialization of untrusted data flaw (CWE-502) in the Sitecore.Security.AntiCSRF module, also known as the anti-CSRF module. It affects Sitecore CMS versions 7.0 through 7.2 and Sitecore XP versions 7.5 through 8.2, with a CVSS v3.1 base score of 9.8.
An unauthenticated remote attacker can exploit the issue by submitting a crafted serialized .NET object via the HTTP POST parameter __CSRFTOKEN, resulting in arbitrary code execution on the affected server.
Sitecore has published updates through its download portal, and a detailed advisory from Synacktiv outlines the technical root cause along with recommended remediation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19230
Vulnerability details
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP…
more
POST parameter __CSRFTOKEN.
- CWE(s)
- KEV Date Added
- 26 March 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted HTTP input (__CSRFTOKEN) before .NET deserialization, blocking the arbitrary-code path.
Mandates prompt application of vendor patches that eliminate the unsafe deserialization routine in Sitecore.Security.AntiCSRF.
Requires integrity verification of software and data, enabling detection of unauthorized code introduced via the deserialization exploit.