CVE-2019-9875

unknown KEV

Published 2025-03-26 · Modified 2025-03-26

CVSS v3

—

CVSS v2

—

VIR risk

1.5

Description

Sitecore CMS and Experience Platform (XP) contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.

CISA KEV

Vendor: Sitecore
Product: CMS and Experience Platform (XP)
Due date: 2025-04-16

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cisa-kev — https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB0038556 ; https://nvd.nist.gov/vuln/detail/CVE-2019-9875

Exploits

References

https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB0038556 ; https://nvd.nist.gov/vuln/detail/CVE-2019-9875

Verify integrity in audit chain (admin only). AS-IS.