Cybersecurity researchers from watchTowr Labs have issued a critical warning regarding a newly discovered exploit chain that could allow unauthenticated attackers to achieve remote code execution (RCE) on thousands of Sitecore Experience Platform instances. The chain of vulnerabilities, which has been patched but remains a threat to unupdated systems, links a pre-authentication cache poisoning flaw with a post-authentication RCE vulnerability to grant attackers full control of a compromised server.
The research builds upon a previous report from June detailing three other vulnerabilities, and now uncovers three more, including a vulnerability for HTML cache poisoning (CVE-2025-53693), remote code execution via insecure deserialization (CVE-2025-53691), and an information disclosure bug (CVE-2025-53694). According to watchTowr, the exploit chain leverages an exposed ItemService API to enumerate HTML cache keys, which can then be used to inject malicious HTML into the cache. This poisoned cache content can then be leveraged to trigger the insecure deserialization vulnerability, leading to arbitrary code execution.
This is a particularly potent attack vector because it bypasses the need for an attacker to first gain authenticated access. By combining a “pre-auth” cache poisoning flaw with a “post-auth” RCE vulnerability, an attacker can effectively bypass the initial authentication barrier. This is made possible because the malicious code is not executed until a legitimate, authenticated user visits the poisoned page, at which point the final stage of the attack is triggered.
Sitecore has confirmed the vulnerabilities and released patches for affected versions of its Experience Platform, including versions up to 10.4. The company urges all customers to apply the provided fixes immediately to mitigate the risk. While there is currently no public evidence of the exploit chain being used in the wild, the public disclosure of technical details by the researchers provides a clear roadmap for threat actors to weaponize the flaws. This makes patching an urgent priority for any organization using the affected platforms.
The incident serves as a stark reminder of the interconnected nature of modern software and the risks associated with third-party components and complex integrations. Even seemingly minor flaws can be combined in unexpected ways to create a severe security risk. Cybersecurity experts advise organizations to conduct regular security audits of all web-facing applications, promptly apply all vendor-supplied patches, and actively monitor logs for signs of suspicious activity.
