Threat Research

Cache Me If You Can: Sitecore Experience Platform Cache Poisoning to RCE

CTI
Cache Me If You Can: Sitecore Experience Platform Cache Poisoning to RCE

Researchers chained a pre-auth HTML cache poisoning vulnerability in Sitecore Experience Platform with a post-auth insecure deserialization flaw to achieve full compromise of a patched instance. They also showed how exposing the ItemService API (or leveraging search behavior) lets attackers enumerate cache keys and reliably exploit the cache poisoning to inject arbitrary HTML and trigger RCE. #Sitecore #WT-2025-0023 #WT-2025-0019

Keypoints

  • WatchTowr Labs found and disclosed three Sitecore vulnerabilities: WT-2025-0023 (CVE-2025-53693) HTML cache poisoning, WT-2025-0019 (CVE-2025-53691) post-auth insecure deserialization RCE, and WT-2025-0027 (CVE-2025-53694) ItemServices information disclosure.
  • A pre-auth XAML handler (Sitecore.Shell.Xaml.WebControl) can be invoked to reach AjaxScriptManager which allows reflective invocation of Sitecore methods on XmlControl-derived controls, enabling AddToCache(string, string) to be called with attacker-controlled values.
  • AddToCache enables unauthenticated overwriting of Sitecore HTML cache entries if the cache key can be predicted, allowing arbitrary HTML to be served from cache (HTML cache poisoning).
  • The ItemService API, when exposed or misconfigured with anonymous access, reveals item paths and caching configuration (Cacheable, VaryBy* settings) so attackers can enumerate and fully predict cache keys to automate poisoning.
  • ConvertToRuntimeHtml pipeline contains a deserialization sink (Sitecore.Convert.Base64ToObject) reachable via the FixHtml flow; attacker-supplied HTML can include base64 payloads that are deserialized, giving post-auth RCE.
  • Search API behavior exposing TotalCount while filtering Results can be abused as an oracle to enumerate GUIDs or other values (blind enumeration), aiding exploitation when anonymous access is restricted.
  • Sitecore released patches in June–July 2025 after disclosure; researchers documented timelines and provided proof-of-concept demonstration flows for cache poisoning and chaining to RCE.

MITRE Techniques

  • [T1204] User Execution – Attackers trick or leverage Sitecore UI flows (Content Editor Fix HTML) to get user-supplied HTML processed by the convertToRuntimeHtml pipeline, ultimately triggering deserialization. Quote: ‘this.SanitizeHtml(StringUtil.GetString(urlHandle[“html”]))’ (translated quote in English)
  • [T1553] Subvert Trust Controls – Abuse of AjaxScriptManager and XAML handlers to invoke Sitecore.Web.UI.WebControl.AddToCache and overwrite trusted cached HTML content. Quote: ‘__PARAMETERS=AddToCache(“watever”,”watchTowr”) & __SOURCE=…’ (translated quote in English)
  • [T1059] Command and Scripting Interpreter – Injected JavaScript via poisoned HTML cache to run code in victim browsers (chain from cache poisoning to execution). Quote: ‘we can hand it two things: The name of the cache key Whatever HTML content we want stored under that key’ (translated quote in English)
  • [T1505] Server Software Component – Exploitation of Sitecore server components (ItemService API) to enumerate items and configuration that influence cache keys. Quote: ‘GET /sitecore/api/ssc/item’ (translated quote in English)
  • [T1203] Exploitation of Remote Services – Remote abuse of ItemService endpoints to retrieve item metadata and device lists enabling cache-key prediction. Quote: ‘GET /sitecore/api/ssc/item/search?term=layouts&fields=&page=0&pagesize=100’ (translated quote in English)
  • [T1190] Exploit Public-Facing Application – Pre-auth HTTP request to XAML handler endpoints (e.g., GET /-/xaml/Sitecore.Shell.Xaml.WebControl) to trigger vulnerable code paths. Quote: ‘GET /-/xaml/Sitecore.Shell.Xaml.WebControl’ (translated quote in English)
  • [T1040] Network Sniffing – Use of predictable cache entries and enumeration to harvest information about devices and cached items (oracle-based discovery via search TotalCount). Quote: ‘”TotalCount”:3’ used to infer valid GUID prefixes in blind enumeration (translated quote in English)

Indicators of Compromise

  • [HTTP Endpoint ] vulnerable XAML and API endpoints – /-/xaml/Sitecore.Shell.Xaml.WebControl, /sitecore/api/ssc/item (ItemService)
  • [HTTP Request Parameters ] cache poisoning and method invocation – __PARAMETERS=AddToCache(…), __SOURCE=ctl00_ctl00_ctl05_ctl03
  • [API Response Field ] item metadata showing cacheable settings – example item path /layouts/Sample Sublayout.ascx with “Cacheable”:”1″ and “VaryByDevice”:”1″
  • [Cache Key Examples ] predicted cache key format – /layouts/Sample+Sublayout.ascx_#lang:EN_#login:False_#qs:_#index
  • [Search Responses ] device enumeration values – Device names: Mobile, JSON, Default, Feed, Print, and 2 more

Read more: https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint