This article reports Critical vulnerabilities (SC2025-003), for which there is a solution available. Successful exploitation of the related vulnerabilities might lead to remote code execution and non-authorized access to information.
We encourage Sitecore customers and partners to familiarize themselves with the information that follows and apply the Solution to all affected Sitecore instances. We also recommend that customers maintain their environments in security-supported versions and apply all available security fixes without delay.
The vulnerability impacts the following Sitecore products:
| Sitecore Products | Impact |
| Experience Manager (XM) | Impacted* |
| Experience Platform (XP) | |
| Experience Commerce (XC) | |
| Managed Cloud | Impacted** |
| XM Cloud | Not impacted |
| Content Hub | Not impacted |
| CDP and Personalize (formerly Boxever) | Not impacted |
| OrderCloud (formerly Four51 OrderCloud) | Not impacted |
| Storefront (formerly Four51 Storefront) | Not impacted |
| Moosend | Not impacted |
| Send | Not impacted |
| Discover (formerly Reflektion) | Not impacted |
| Commerce Server | Not impacted |
* The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.4 Initial Release. PaaS solutions and containerized solutions are also affected.
** Managed Cloud customers who run the affected Experience Platform versions are affected.
This Security Bulletin might receive additional updates as further details are discovered, and the History Of Updates section will provide a detailed list of all the changes.
If you want to receive notifications about new Security Bulletins, subscribe to the Security Bulletins.
To help customers and partners understand the severity of the potential security vulnerabilities, Sitecore uses the definitions from the Severity Definitions for Security Vulnerabilities to report security issues.
To mitigate the vulnerability, it is recommended to apply the following temporary solution to the affected Sitecore systems. The patch can be used for all impacted product versions. Follow these installation instructions and the steps from Readme.md file:
Sitecore will additionally provide cumulative pre-releases for mainstream Sitecore XP versions at a later date that will include the same fix. Once available, it will be possible to use them instead of the patch to address this issue.
Does the issue affect all Sitecore XP Core server roles (Content Delivery, Content Management, Reporting, Processing, EXM Dispatch)?
Yes, the issue impacts all Sitecore XP Core server roles. Apply the solution above to different roles. For more details, refer to installation instructions from the corresponding Readme.md file from the Solution section.
If we use Azure Marketplace to install the instance soon, for example 10.3, will it include the hotfix mentioned above or will we still need to apply it manually? Are hotfixes automatically rolled in the Azure Marketplace?
No, hotfixes aren't automatically rolled into the Azure Marketplace. Azure Marketplace supports the same versions that have been released at dev.sitecore.net. If the issue has not been fixed in the released versions, apply the above solution to your instance.
Is it possible to provide more information regarding the vulnerability?
No, it is not possible due to security reasons. In particular, this might lead to the scenario disclosure and cause a severe impact on the customers.
Does the vulnerability impact Managed Cloud subscriptions?
The vulnerability impacts both Managed Cloud Standard and Managed Cloud Premium subscriptions. Apply the solution above to mitigate the vulnerability.