Sitecore XM/XP Insecure Deserialization (CVE-2025-27218)

Severity:

Critical

Summary

Due to the insecure BinaryFormatter deserialization vulnerability in Sitecore XM/XP, an unauthenticated attacker might send a specially-crafted serialized request to execute arbitrary code on the system.

Impact

Successful attacks of this vulnerability can result in takeover of Sitecore.

Remediation

Upgrade to the latest version of Sitecore

Required Skills for Successful Exploitation

Actions To Take

Classifications

CWE-CWE-502

Vulnerability Index

You can search and find all vulnerabilities

Select Category

Select Vulnerability

Related Vulnerabilities

Sitecore XM/XP Insecure Deserialization (CVE-2025-27218)

Apache OFBiz XMLRPC Deserialization RCE (CVE-2020-9496/CVE-2023-49070)

Oracle Access Manager 'opensso' Deserialization RCE (CVE-2021-35587)

SharePoint "ToolShell" RCE (CVE-2025-49704/CVE-2025-49706/CVE-2025-53770/CVE-2025-53771)

Apache OFBiz SOAPService Deserialization RCE

Sitecore XM/XP Insecure Deserialization (CVE-2025-27218)

Vulnerability Index

Select Category

Select Vulnerability

Select Vulnerability

Featured resources

Build your resistance to threats. And save hundreds of hours each month.