CVE-2025-53691
Published: 03 September 2025
Summary
CVE-2025-53691 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Sitecore Experience Platform. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-53691 is a deserialization of untrusted data vulnerability, catalogued under CWE-502, that permits remote code execution in Sitecore Experience Manager (XM) and Experience Platform (XP). The flaw affects XM and XP versions 9.0 through 9.3 as well as 10.0 through 10.4.
An attacker with low-privileged network access can supply a crafted serialized object that the application deserializes without sufficient validation, resulting in arbitrary code execution on the server with impacts to confidentiality, integrity, and availability. The CVSS 8.8 vector reflects that the attack requires no user interaction and can be launched remotely once low-privilege credentials are obtained.
Sitecore’s KB1003667 advisory addresses the issue and customers should apply the vendor-supplied patches for the affected 9.x and 10.x branches. A public technical analysis from watchTowr further details how cache-poisoning techniques can be leveraged to reach the deserialization sink.
The associated EPSS score has remained flat at 0.0504 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26499
Vulnerability details
Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).This issue affects Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from…
more
10.0 through 10.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via deserialization in a public-facing web app (Sitecore XM/XP) maps to exploitation of exposed applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching of the specific deserialization of untrusted data flaw in vulnerable Sitecore versions as detailed in KB1003667 to prevent RCE.
Enforces validation of untrusted inputs to block malicious serialized data from being deserialized, directly countering CWE-502 exploitation.
Scans for known vulnerabilities like CVE-2025-53691 in Sitecore XM/XP components to identify and prioritize remediation of affected instances.