Actively exploited in the wild
Sitecore XP Remote Command Execution Vulnerability
Sitecore — XP · Listed in the CISA KEV since 2022-03-25. This indicates confirmed attacks in production environments.
Required action: Apply updates per vendor instructions.
CVE-2021-42237
CriticalCVSS 9.8KEVExploitation Probability (EPSS)
Very high risk100th percentile — higher than 100% of all known CVEs
Summary
A vulnerability in Sitecore XP from version 7.5 to 8.2 Update-7 allows remote code execution through insecure deserialization. The attack requires no authentication or special configuration.
Risk Assessment
The risk to the organization is critical as an attacker can take over the server without any privileges, leading to full system and data compromise.
Recommendation
Immediately update Sitecore XP to version 8.2 Update-8 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.

