CVE-2021-42237
Sitecore XP Remote Command Execution Vulnerability
CVSS
9.8
Critical
EPSS
97.9%
p100
KEV
YES
Mar 25, 2022
Exploit Today
80
0-100
Published: Nov 5, 2021 · Last modified: Jul 9, 2026 · CWE-502
Product
Sitecore / XP
Vulnerability
Sitecore XP Remote Command Execution Vulnerability
Added to KEV
Mar 25, 2022
Remediate by
Apr 15, 2022
Known ransomware use
Yes
Summary description
Sitcore XP contains an insecure deserialization vulnerability which can allow for remote code execution.
Required action
Apply updates per vendor instructions.
Notes
https://nvd.nist.gov/vuln/detail/CVE-2021-42237
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.
- packetstormsecurity.comhttp://packetstormsecurity.com/files/164988/Sitecore-Experience-Platform-XP-Remote-Code-Execution.html
- blog.assetnote.iohttps://blog.assetnote.io/2021/11/02/sitecore-rce/
- support.sitecore.comhttps://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
- packetstormsecurity.comhttp://packetstormsecurity.com/files/164988/Sitecore-Experience-Platform-XP-Remote-Code-Execution.html
- blog.assetnote.iohttps://blog.assetnote.io/2021/11/02/sitecore-rce/
- support.sitecore.comhttps://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
- www.cisa.govhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-42237