Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

CISA Warns of Sitecore RCE Flaws: Next.js and DrayTek Devices Under Threat


CISA has issued a warning about two long-standing vulnerabilities in Sitecore CMS and Next.js web framework. Meanwhile, several DrayTek devices have also fallen under threat from known exploits. With active exploitation reported for these vulnerabilities, it is essential that federal agencies apply necessary patches by April 16, 2025, to secure their networks.

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two six-year-old security flaws to its Known Exploited Vulnerabilities (KEV) catalog, CVE-2019-9874 and CVE-2019-9875.
  • These vulnerabilities are related to deserialization vulnerabilities in the Sitecore.Security.AntiCSRF module and allow attackers to execute arbitrary code.
  • CISA requires federal agencies to apply necessary patches by April 16, 2025, to secure their networks.
  • Akamai reports initial exploit attempts probing potential servers for CVE-2025-29927, an authorization bypass vulnerability in the Next.js web framework.
  • Attackers can spoof the "x-middleware-subrequest" header and gain unauthorized access to sensitive application resources.
  • Several known vulnerabilities in DrayTek devices have been identified, including CVE-2020-8515 and CVE-2021-20123, which can be exploited for remote code execution as root.



    • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two six-year-old security flaws impacting Sitecore CMS and Experience Platform (XP) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. This development comes as a warning to federal agencies, which are required to apply the necessary patches by April 16, 2025, to secure their networks.

    The vulnerabilities in question are CVE-2019-9874 and CVE-2019-9875, both of which pertain to deserialization vulnerabilities in the Sitecore.Security.AntiCSRF module. The former, with a CVSS score of 9.8, allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN. The latter, rated at 8.8 on the CVSS scale, permits an authenticated attacker to achieve similar malicious intent through a similarly targeted exploit.

    According to CISA, there are currently no details available on how these flaws are being utilized in real-world attacks, or by whom, although Sitecore has previously acknowledged the active exploitation of CVE-2019-9874. In contrast, the company's update from March 30, 2020, indicated a heightened awareness of this vulnerability without referencing its companion exploit.

    Meanwhile, another high-priority security issue is unfolding with Akamai reporting initial exploit attempts probing potential servers for CVE‑2025‑29927, an authorization bypass vulnerability within the Next.js web framework. This particular vulnerability allows attackers to spoof the "x‑middleware‑subrequest" header and gain unauthorized access to sensitive application resources.

    Raphael Silva of Checkmarx described one prominent method that exploits this vulnerability: utilizing a header with the value src/middleware:src/middleware:src/middleware:src/middleware, which effectively simulates multiple internal subrequests within a single request, thereby bypassing Next.js's middleware-based security checks. This approach is particularly concerning as it bears resemblance to publicly available proof-of-concept exploits.

    Additionally, another threat intelligence firm revealed that it has seen observed in-the-wild activity against several known vulnerabilities in DrayTek devices, including CVE-2020-8515 and CVE-2021-20123, among others. These identified vulnerabilities pertain to operating system command injection and local file inclusion respectively and could be exploited to achieve remote code execution as root on certain router models.

    Furthermore, the attack traffic for these exploits is largely concentrated in Indonesia, Hong Kong, and the United States for CVE-2020-8515, while Lithuania, the United States, and Singapore have been targeted with the latter pair of vulnerabilities (CVE-2021-20123 and CVE-2021-20124).

    In conclusion, this series of warnings highlights the ongoing nature of cybersecurity threats and the necessity of proactive vulnerability management practices. As federal agencies prepare to address these newly disclosed vulnerabilities, it is imperative that they prioritize application security posture management (ASPM) to bolster their defenses.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/CISA-Warns-of-Sitecore-RCE-Flaws-Nextjs-and-DrayTek-Devices-Under-Threat-ehn.shtml

  • https://thehackernews.com/2025/03/cisa-flags-two-six-year-old-sitecore.html

  • https://nvd.nist.gov/vuln/detail/CVE-2019-9874

  • https://www.cvedetails.com/cve/CVE-2019-9874/

  • https://nvd.nist.gov/vuln/detail/CVE-2019-9875

  • https://www.cvedetails.com/cve/CVE-2019-9875/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-29927

  • https://www.cvedetails.com/cve/CVE-2025-29927/

  • https://nvd.nist.gov/vuln/detail/CVE-2020-8515

  • https://www.cvedetails.com/cve/CVE-2020-8515/

  • https://nvd.nist.gov/vuln/detail/CVE-2021-20123

  • https://www.cvedetails.com/cve/CVE-2021-20123/

  • https://nvd.nist.gov/vuln/detail/CVE-2021-20124

  • https://www.cvedetails.com/cve/CVE-2021-20124/


    • Published: Thu Mar 27 02:54:30 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us