Vulnerability Report

CVE-2021-42237

RCE CISA KEV Active

Title: Insecure Deserialization in Sitecore XP

RCE

Proof Of Concept

PoC Available for CVE-2021-42237

CWE Category CWE-502

Published Date Nov 05, 2021

Modified Date Nov 10, 2025

Exploit Status Available

Score 9.8 CVSS v3.1

Exploit Probability (EPSS)

99.21%

Vulnerability Summary

CVE-2021-42237: Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.

Impacted Vendors

sitecore 1

Reference Links

http://packetstormsecurity.com/files/164988/Sitecore-Experience-Platform-XP-Remote-Code-Execution.html http://sitecore.com https://blog.assetnote.io/2021/11/02/sitecore-rce/ https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776 http://packetstormsecurity.com/files/164988/Sitecore-Experience-Platform-XP-Remote-Code-Execution.html http://sitecore.com https://blog.assetnote.io/2021/11/02/sitecore-rce/ https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-42237

CVSS v3.1

Source Entity [email protected]

Severity CRITICAL

9.8

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v3.1

Source Entity 134c704f-9b21-4f2e-91b3-4a467353bcc0

Severity CRITICAL

9.8

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

Source Entity [email protected]

Severity HIGH

10.0

Access Vector

N/A

Authentication

N/A

RAW VECTOR AV:N/AC:L/Au:N/C:C/I:C/A:C

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2021-42237 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/ItsIgnacioPortal/CVE-2021-42237

View Code

GitHub https://github.com/vesperp/CVE-2021-42237-SiteCore-XP

View Code

GitHub https://github.com/crankyyash/SiteCore-RCE-Detection

View Code

November 10, 2025 MODIFIED

Vulnerability data or affected products updated.

November 05, 2021 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity LOW

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Stack

No specific products linked.