Cyber Resilience

CVE-2019-9875

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 31 May 2019

Published
31 May 2019
Modified
07 November 2025
KEV Added
26 March 2025
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5670 98.2th percentile
Risk Priority 72 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-9875 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Sitecore Cms. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-9875 is a deserialization of untrusted data vulnerability (CWE-502) affecting the anti-CSRF module in Sitecore versions through 9.1. The flaw permits an attacker to supply a malicious serialized .NET object that is processed without sufficient validation, leading to arbitrary code execution on the server.

An authenticated attacker with low privileges can exploit the issue over the network by submitting the crafted object inside an HTTP POST parameter. Successful exploitation yields full control over the application, resulting in high impact to confidentiality, integrity, and availability as reflected in the CVSS 8.8 score.

Sitecore has published updates through its official Downloads portal, while Synacktiv has released a detailed advisory and technical PDF describing the flaw and recommended remediation steps.

No information on observed in-the-wild exploitation is provided in the source references.

EU & UK References

Vulnerability details

Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter.

CWE(s)
KEV Date Added
26 March 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sitecore
cms
≤ 9.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input (including serialized .NET objects in HTTP POST parameters) to reject malformed or untrusted data before deserialization occurs.

prevent

Mandates prompt application of vendor patches that eliminate the unsafe deserialization path in the anti-CSRF module.

preventdetect

Requires integrity verification of software and information to detect or block tampered serialized objects that could lead to code execution.

References