CVE-2025-34510
Published: 17 June 2025
Summary
CVE-2025-34510 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Sitecore Experience Platform. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 contain a Zip Slip vulnerability tracked as CVE-2025-34510. The flaw stems from insufficient validation of path traversal sequences within uploaded ZIP archives, classified under CWE-23, and carries a CVSS 3.1 score of 8.8.
A remote attacker with authenticated access can send a crafted HTTP request that uploads a malicious ZIP archive. Successful exploitation permits arbitrary file writes on the server, which can be leveraged to achieve remote code execution.
Sitecore advisory KB1003667 addresses the issue and directs customers to apply the vendor-supplied patches for the affected 9.x and 10.x branches. The accompanying technical analysis from watchTowr Labs details how the vulnerability fits into broader attack chains against the platform.
The associated EPSS score currently stands at 0.8699 with a recorded peak of 0.8737, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-18525
Vulnerability details
Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request…
more
to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.