🔴 CVE-2019-9874

Critical deserialization vulnerability in Sitecore CMS allowing unauthenticated remote code execution via malicious .NET objects in CSRF tokens. Actively exploited in the wild and listed in CISA KEV catalog.

← Back to Overview
HIGH_RISK
Risk Level
9.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2019-05-31

Added to CISA KEV: 2025-03-26 2126 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2019-9874 is a critical deserialization vulnerability affecting the `Sitecore.Security.AntiCSRF` module in various versions of the Sitecore Experience Platform (XP) and Sitecore CMS [4] [2].

Active Exploitation and Threat Actor Usage
  • Active Exploitation: Sitecore confirmed in March 2020 that it was aware of active exploitation of this vulnerability in the wild [1].
  • CISA KEV: The vulnerability is included in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog, which mandates that federal agencies patch the flaw due to evidence of active exploitation [1]?field_cve=CVE-2019-9874?kagi_q=CVE-2019-9874+details.
  • Attribution: As of recent reports, there are no specific public details regarding the identity of the threat actors or the specific campaigns (e.g., ransomware vs. espionage) utilizing this exploit [1].
Attack Method and Requirements
  • Method: The vulnerability is caused by the insecure deserialization of untrusted data within the `Sitecore.Security.AntiCSRF` module [2].
  • Exploitation: An unauthenticated attacker can execute arbitrary code by sending a specially crafted, serialized .NET object via the `__CSRFTOKEN` HTTP POST parameter [2] [4].
  • Requirements: The attack is network-based and does not require user interaction or prior authentication [2].
Impact
  • Successful exploitation grants an attacker Remote Code Execution (RCE) capabilities on the affected server, typically with the privileges of the web application process [2]. This is a critical-severity vulnerability with a CVSS score of 9.8 [1].
Affected Versions and Mitigation
  • Affected Versions:
* Sitecore CMS 7.0 to 7.2 * Sitecore XP 7.5 to 8.2 (prior to Update-7) * Sitecore XP 9.0 (prior to Update-2) [2] [3]
  • Mitigation: The primary mitigation is to update the Sitecore installation to a patched version (e.g., Sitecore XP 8.2 Update-7 or later, or Sitecore XP 9.0 Update-2 or later) as recommended by the vendor [3].
Proof-of-Concept Availability
  • Automated detection templates, such as those for the Nuclei vulnerability scanner, are publicly available to identify vulnerable instances [3].

Sources

  1. CISA Warns of Sitecore RCE Flaws; Active Exploits

    CVE-2019-9874 (CVSS score: 9.8) - A deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN ... There are currently no details on how the flaws…

  2. NVD - CVE-2019-9874

    Vulnerabilities. CVE-2019-9874 Detail. Description. Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the…

  3. CVE-2019-9874.yaml - projectdiscovery/nuclei-templates - GitHub

    Sitecore Experience Platform before 8.2 Update-7 and 9.0 before Update-2 is vulnerable to a remote code execution vulnerability (CVE-2019-9874). An attacker can ...

  4. CVE-2019-9874 : Deserialization of Untrusted Data in the Sitecore ...

    CVSS scores for CVE-2019-9874 ... CWE ids for CVE-2019-9874 CWE-502 Deserialization of Untrusted Data The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. ... Vulnerability Details : CVE-2019-9874. Deserialization of Untrusted Data in the Sitec…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed