Sitecore XP RCE flaw is being actively exploited, ACSC warns

The vulnerability was fixed last month but hackers are now moving against patching laggards

The Australian Cyber Security Center (ACSC) has cautioned organizations that hackers are actively exploiting a remote code execution flaw in the Sitecore Experience Platform (Sitecore XP).

Successful exploitation of the vulnerability (CVE-2021-42237) results in remote code execution that “could allow an internet-based actor to install malware/ or webshells and perform other actions”, ACSC said in a statement. 

“The ACSC is aware of active exploitation of this vulnerability in Australia,” it added.

Sitecore XP is a content management system (CMS) that combines customer data, analytics, artificial intelligence (AI), and marketing automation capabilities. This CMS is used heavily by enterprises, including many of the companies within the Fortune 500. The company rolled out a patch for the flaw in October.

“The vulnerability is related to a remote code execution vulnerability through insecure deserialization in the Report.ashx file," Sitecore said in a security advisory. "This file was used to drive the Executive Insight Dashboard (of Silverlight report) that was deprecated in 8.0 Initial Release."

The firm added that the vulnerability applies to all Sitecore systems running affected versions, including single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, etc.), which are exposed to the internet. 

According to Mitre’s CVE website on the flaw, Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is “vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.”

The flaw was first picked up by security researchers at Assetnote. Shubham Shah, co-founder, and CTO of Assetnote, said that while investigating the Sitecore product and its source code, his team found that the code does not require any authentication.

Shah added to remediate this vulnerability, admins can remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/. He said that in performing offensive security source code analysis his team often discovers there are critical vulnerabilities in enterprise software that are incredibly easy to exploit.

“The apps that we have been auditing are complex, however, the vulnerabilities are quite simple. With a concerted effort in taking apart these enterprise apps, we are able to discover critical vulnerabilities, after understanding the attack surface,” he said.

Sitecore has advised users to upgrade to version 9.0.0 or higher which protects against the vulnerability.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Sophos Intercept X Advanced review: AI-powered protection
endpoint security

Sophos Intercept X Advanced review: AI-powered protection

30 Nov 2021
SMBs urged to update software ahead of Black Friday
e commerce

SMBs urged to update software ahead of Black Friday

25 Nov 2021
US adds dozen Chinese tech companies to trade blacklist
Policy & legislation

US adds dozen Chinese tech companies to trade blacklist

25 Nov 2021
Fifth of UK security pros discriminated against in 2021
Careers & training

Fifth of UK security pros discriminated against in 2021

23 Nov 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021
What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021