Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two six-year-old security flaws impacting Sitecore CMS and Experience Platform (XP) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerabilities are listed below - CVE-2019-9874 (CVSS score: 9.8) - A deserialization vulnerability in the Sitecore.Security.AntiCSRF
Analysis Summary
# Vulnerability: Active Exploitation of Sitecore CMS/XP Deserialization Flaws (CVE-2019-9874, CVE-2019-9875)
## CVE Details
- CVE ID: CVE-2019-9874
- CVSS Score: 9.8 (Critical)
- CWE: [Not specified, related to Deserialization]
- CVE ID: CVE-2019-9875
- CVSS Score: 8.8 (High)
- CWE: [Not specified, related to Deserialization]
## Affected Systems
- Products: Sitecore CMS and Experience Platform (XP)
- Versions: [Specific vulnerable versions are not listed in the context, but patches were issued in 2020.]
- Configurations: N/A
## Vulnerability Description
Both flaws are deserialization vulnerabilities residing within the `Sitecore.Security.AntiCSRF` module. They allow for arbitrary code execution by sending a specially crafted, serialized .NET object via the `__CSRFTOKEN` HTTP POST parameter.
* **CVE-2019-9874:** Exploitable by an **unauthenticated** attacker.
* **CVE-2019-9875:** Requires the attacker to be **authenticated**.
## Exploitation
- Status: **Exploited in the wild** (Confirmed for CVE-2019-9874; Sitecore was aware of active exploitation as of March 30, 2020).
- Complexity: [Not explicitly stated, but generally RCE via deserialization can be high complexity for payload creation, but low complexity for execution path once proven.]
- Attack Vector: Network (Inferred, as it involves HTTP requests)
## Impact
The impact for both vulnerabilities, due to Remote Code Execution (RCE) potential:
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
- Patches are available, as Sitecore addressed these vulnerabilities previously (update noted March 30, 2020). Federal agencies are required to apply necessary patches by April 16, 2025. (Specific patch versions are not detailed in this text; users must refer to Sitecore advisories.)
### Workarounds
- [No specific workarounds are detailed in this summary, beyond applying patches.]
## Detection
- Detection methods would focus on monitoring HTTP POST traffic targeting the `__CSRFTOKEN` parameter for serialized .NET objects, especially in environments running older, unpatched versions of Sitecore.
- Indicators of Compromise (IOCs): Related to successful RCE payloads following exploitation.
## References
- Vendor Advisory (CVE-2019-9874): support dot sitecore dot com/kb?id=kb_article_view&sysparm_article=KB0334035
- Vendor Advisory (CVE-2019-9875): support dot sitecore dot com/kb?id=kb_article_view&sysparm_article=KB0038556
- CISA KEV Update: cisa dot gov/news-events/alerts/2025/03/26/cisa-adds-two-known-exploited-vulnerabilities-catalog
***
# Vulnerability: Next.js Authorization Bypass via Middleware Spoofing (CVE-2025-29927)
## CVE Details
- CVE ID: CVE-2025-29927
- CVSS Score: 9.1 (Critical)
- CWE: Authorization Bypass (Inferred)
## Affected Systems
- Products: Next.js web framework
- Versions: [Specific vulnerable versions are not listed.]
- Configurations: Applications utilizing middleware subject to subrequest flow control.
## Vulnerability Description
This is an authorization bypass vulnerability in the Next.js middleware handling. An attacker can bypass middleware-based security checks by spoofing the HTTP header `"x-middleware-subrequest"`. This allows an attacker to simulate internal subrequests, essentially abusing Next.js's internal redirect logic to gain unauthorized access to sensitive application resources.
## Exploitation
- Status: Initial exploit attempts observed in the wild (by Akamai analysis).
- Complexity: Medium (Payload involves specific formatting described below).
- Attack Vector: Network
Impact details are not explicitly broken down, but authorization bypass leading to resource access implies High impact across all categories.
## Impact
- Confidentiality: High (Inferred)
- Integrity: High (Inferred)
- Availability: High (Inferred)
## Remediation
### Patches
- [Patches are not detailed in this context, but should be sought from the Next.js vendor.]
### Workarounds
- One observed technique involved using the header `"x-middleware-request"` with the value: `"src/middleware:src/middleware:src/middleware:src/middleware:src/middleware"`. Blocking or closely scrutinizing requests containing this header pattern might serve as a temporary measure.
## Detection
- Detection should focus on network traffic inspecting HTTP headers for unusual or repeated patterns in the `"x-middleware-subrequest"` or `"x-middleware-request"` headers, specifically those attempting to chain internal redirects.
## References
- Research Detail: checkmarx dot com/zero-post/critical-cve-2025-29927-research-nextjs-middleware-authorization-bypass/
- Akamai Writeup: akamai dot com/blog/security-research/2025/mar/march-authorization-bypass-critical-nextjs-detections-mitigations
- PoC Similarity: zhero-web-sec dot github dot io/research-and-things/nextjs-and-the-corrupt-middleware/
***
# Vulnerability: Active Exploitation of DrayTek Router Command Injection/LFI (CVE-2020-8515, CVE-2021-20123, CVE-2021-20124)
## CVE Details
- CVE ID: CVE-2020-8515
- CVSS Score: 9.8 (Critical)
- CWE: OS Command Injection
- CVE ID: CVE-2021-20123
- CVSS Score: 7.5 (High)
- CWE: Local File Inclusion (LFI)
- CVE ID: CVE-2021-20124
- CVSS Score: 7.5 (High)
- CWE: Local File Inclusion (LFI)
## Affected Systems
- Products: DrayTek Routers
- Versions: Not specified, but vulnerabilities are known and actively exploited.
- Configurations: Specific URIs/endpoints are vulnerable.
## Vulnerability Description
GreyNoise reported active exploitation attempts against these long-standing DrayTek vulnerabilities:
* **CVE-2020-8515:** OS Command Injection via the `/cgi-bin/mainfunction.cgi` URI. Allows unauthenticated remote code execution as root using shell metacharacters.
* **CVE-2021-20123:** LFI via the `DownloadFileServlet` endpoint in DrayTek VigorConnect. Allows unauthenticated arbitrary file download with root privileges.
* **CVE-2021-20124:** LFI via the `WebServlet` endpoint in DrayTek VigorConnect. Allows unauthenticated arbitrary file download with root privileges.
## Exploitation
- Status: **Exploited in the wild** (Reported by GreyNoise).
- Complexity: Varies (CVE-2020-8515 often yields low complexity RCE).
- Attack Vector: Network
## Impact
* CVE-2020-8515 (RCE as root): High impact on C, I, and A.
* CVE-2021-20123/20124 (LFI as root): High potential of C, I, and A via reading sensitive files or leveraging LFI for code execution.
## Remediation
### Patches
- Patches for these CVEs exist but specific versions are not provided here. Affected users must consult DrayTek advisories.
### Workarounds
- [No specific workarounds detailed in this summary.]
## Detection
- Monitoring network traffic directed at router management interfaces, specifically requests targeting:
- `/cgi-bin/mainfunction.cgi` (looking for shell metacharacters).
- `DownloadFileServlet` and `WebServlet` endpoints in VigorConnect instances.
- Top attack source countries listed for CVE-2020-8515 included Indonesia, Hong Kong, and the US.
## References
- GreyNoise Report: greynoise dot com/blog/in-the-wild-activity-against-draytek-routers