The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two six-year-old security flaws impacting Sitecore CMS and Experience Platform (XP) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerabilities are listed below –
- CVE-2019-9874 (CVSS score: 9.8) – A deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN
- CVE-2019-9875 (CVSS score: 8.8) – A deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN
There are currently no details on how the flaws are being weaponized in the wild and by whom, although SiteCore in an update shared on March 30, 2020, said it became “aware of active exploitation” of CVE-2019-9874. The company makes no mention of CVE-2019-9875 being exploited.
In light of active exploitation, federal agencies are required to apply the necessary patches by April 16, 2025, to secure their networks.
The development comes as Akamai said it has observed initial exploit attempts probing potential servers for a newly disclosed security flaw impacting the Next.js web framework (CVE‑2025‑29927, CVSS score: 9.1).
An authorization bypass vulnerability, a successful exploitation could permit an attacker to get around middleware-based security checks by spoofing a header called “x‑middleware‑subrequest” that’s used to manage internal request flows. This, in turn, could enable unauthorized access to sensitive application resources, Checkmarx’s Raphael Silva said.
“Among the identified payloads, one notable technique involves using the x-middleware-request header with the value src/middleware:src/middleware:src/middleware:src/middleware:src/middleware,” the web infrastructure company said.
“This approach simulates multiple internal subrequests within a single request, triggering Next.js’s internal redirect logic — closely resembling several publicly available proof-of-concept exploits.”
The disclosures also follow a warning from GreyNoise about active exploitation attempts recorded against several known vulnerabilities in DrayTek devices.
The threat intelligence firm said it has seen observed in-the-wild activity against the below CVE identifiers –
- CVE-2020-8515 (CVSS score: 9.8) — An operating system command injection vulnerability in multiple DrayTek router models that could allow remote code execution as root via shell metacharacters to the cgi-bin/mainfunction.cgi URI
- CVE-2021-20123 (CVSS score: 7.5) — A local file inclusion vulnerability in DrayTek VigorConnect that could allow an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges via the DownloadFileServlet endpoint
- CVE-2021-20124 (CVSS score: 7.5) — A local file inclusion vulnerability in DrayTek VigorConnect that could allow an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges via the WebServlet endpoint
Indonesia, Hong Kong, and the United States have emerged as the top destination countries of the attack traffic for CVE-2020-8515, while Lithuania, the United States, and Singapore have been singled out as part of attacks exploiting CVE-2021-20123 and CVE-2021-20124.
