Security researchers at Assetnote, recently acquired by Searchlight Cyber, have uncovered a pre-authentication remote code execution vulnerability in Sitecore Experience Platform, a popular .NET-based content management system widely used by enterprise customers.
The vulnerability tracked as CVE-2025-27218 and referenced in Sitecore security bulletin SC2024-002-624693, affects Sitecore versions from 10.4. It involves unsafe deserialization, allowing attackers to execute arbitrary code on affected systems without authentication.
According to Assetnote's analysis, the security flaw is exploitable without authentication and in default configurations, making it particularly dangerous.
The vulnerability exists in Sitecore's thumbnail generation functionality. Researchers discovered that the AuthenticateThumbnailsRequest processor reads a header called ThumbnailsAccessToken and passes its value directly to a function that uses the notoriously insecure BinaryFormatter for deserialization.
"This is another case of BinaryFormatter causing more trouble than it's worth," Assetnote noted in their blog post. "This one was a little more disappointing since it was serialising an array of bytes to another array of bytes."
Sitecore's improper use of the .NET BinaryFormatter class and a custom wrapper function called Convert.Base64ToObject. The researchers discovered that in the MachineKeyTokenService.IsTokenValid method, the application deserializes user input before decrypting it – a subtle but critical misordering of operations that allows attackers to bypass security checks.
"This subtle misordering of operations implies that full care may not have been given to this particular piece of functionality. It also means that, if no other validations are applied, we can pass a malicious deserialization payload straight to BinaryFormatter," the researchers explained in their report.
Sitecore has confirmed that the vulnerability impacts Experience Manager (XM), Experience Platform (XP), and Managed Cloud deployments. XM Cloud, Content Hub, CDP, OrderCloud, and other Sitecore products remain unaffected.
The company has released fixes and recommends immediate action. For on-premises and PaaS deployments running version 10.4, users should download and install the corresponding cumulative hotfix available in KB1002844. Container-based deployments require applying the hotfix according to guidance in the linked documentation.
As a temporary workaround, administrators can download and install a patch file (Sitecore.Support.624693.config) to the \App_Config\Include\zzz folder on Content Management (CM) and Standalone servers, though this disables Sitecore screenshot thumbnail functionality.
After installing the fix, users can verify successful mitigation by checking that the Sitecore.Kernel assembly version is equal to or greater than 19.4.93.21984.
This incident underscores the importance of continuous security monitoring, especially after software updates, as this vulnerability was introduced in a relatively recent addition to the Sitecore codebase.