Vendor update is available now

A remote code execution vulnerability has been found in enterprise CMS product Sitecore XP

UPDATED A remote code execution vulnerability has been found in enterprise CMS product Sitecore XP that could leave all unpatched instances open to abuse.

Sitecore is an enterprise content management system (CMS), which according to researchers from Assetnote has an estimated 4,500 customers, including Fortune 500 companies.

Read more of the latest security vulnerability news

The researchers found that the software was vulnerable to a pre-authentication RCE attack due to insecure deserialization in the Report.ashx file.

They discovered the vulnerability while probing Sitecore’s attack surface during a client engagement.

A blog post published yesterday (November 2) includes full technical details.

Lateral movement

Shubham Shah, co-founder and CTO of Assetnote, told The Daily Swig that the vulnerability “would be a good starting point for an attacker to gain a foothold in the network if the machine is connected to a domain”.

Shah continued: “After gaining command execution, further attacks can be deployed on the system running Sitecore, but also attacks can be performed against machines in the same network to escalate privileges.”

He added: “We have not seen this bug being exploited in the wild yet. My advice to those that have fallen victim is to ensure that there are no other Sitecore servers they are operating that have the Report.ashx file available.

“Often companies deploy multiple instances of Sitecore, and they must all be remediated for this vulnerability. Alternatively, upgrading to a later Sitecore version (10.x) could also bring great security benefits including this bug being patched.”


The vulnerability is pending a CVE number but is being tracked by the vendor as SC2021-003-499266.

It impacts all Sitecore systems running affected versions, including single-instance and multi-instance environments, managed cloud environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, etc), which are exposed to the internet.

To remediate the problem, Assetnote advised users to “simply remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/”, and pointed to Sitecore’s security advisory.

Sitecore has advised users to upgrade to version 9.0.0 or higher which protects against the vulnerability.

This article has been updated to include comment from Assetnote.

DON’T MISS Discourse fixes critical validation-related vulnerability in forum software