Cyber Resilience

CVE-2025-53691

HighPublic PoCRCE

Published: 03 September 2025

Published
03 September 2025
Modified
08 September 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0504 90.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53691 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Sitecore Experience Platform. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-53691 is a deserialization of untrusted data vulnerability, catalogued under CWE-502, that permits remote code execution in Sitecore Experience Manager (XM) and Experience Platform (XP). The flaw affects XM and XP versions 9.0 through 9.3 as well as 10.0 through 10.4.

An attacker with low-privileged network access can supply a crafted serialized object that the application deserializes without sufficient validation, resulting in arbitrary code execution on the server with impacts to confidentiality, integrity, and availability. The CVSS 8.8 vector reflects that the attack requires no user interaction and can be launched remotely once low-privilege credentials are obtained.

Sitecore’s KB1003667 advisory addresses the issue and customers should apply the vendor-supplied patches for the affected 9.x and 10.x branches. A public technical analysis from watchTowr further details how cache-poisoning techniques can be leveraged to reach the deserialization sink.

The associated EPSS score has remained flat at 0.0504 with no material increase since disclosure.

EU & UK References

Vulnerability details

Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).This issue affects Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from…

more

10.0 through 10.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct RCE via deserialization in a public-facing web app (Sitecore XM/XP) maps to exploitation of exposed applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-53690Same product: Sitecore Experience Commerce
CVE-2025-53693Same product: Sitecore Experience Commerce
CVE-2024-13770Shared CWE-502
CVE-2026-27303Shared CWE-502
CVE-2025-53586Shared CWE-502
CVE-2025-64353Shared CWE-502
CVE-2025-31047Shared CWE-502
CVE-2026-27096Shared CWE-502
CVE-2023-49886Shared CWE-502
CVE-2026-23542Shared CWE-502

Affected Assets

sitecore
experience commerce
9.0 — 10.4
sitecore
experience manager
9.0 — 10.4
sitecore
experience platform
10.4 · 9.0 — 10.4
sitecore
managed cloud
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of the specific deserialization of untrusted data flaw in vulnerable Sitecore versions as detailed in KB1003667 to prevent RCE.

prevent

Enforces validation of untrusted inputs to block malicious serialized data from being deserialized, directly countering CWE-502 exploitation.

detect

Scans for known vulnerabilities like CVE-2025-53691 in Sitecore XM/XP components to identify and prioritize remediation of affected instances.

References