CVE Catalog

Actively exploited in the wild

Sitecore XP Remote Command Execution Vulnerability

Sitecore — XP · Listed in the CISA KEV since 2022-03-25. This indicates confirmed attacks in production environments.

Required action: Apply updates per vendor instructions.

CVE-2021-42237

CriticalCVSS 9.8KEV
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
99.21%

100th percentile — higher than 100% of all known CVEs

Summary

A vulnerability in Sitecore XP from version 7.5 to 8.2 Update-7 allows remote code execution through insecure deserialization. The attack requires no authentication or special configuration.

Risk Assessment

The risk to the organization is critical as an attacker can take over the server without any privileges, leading to full system and data compromise.

Recommendation

Immediately update Sitecore XP to version 8.2 Update-8 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS