From Information Disclosure to RCE in Sitecore Experience Platform (XP)# Sitecore CVE Chain Exploits
This repository contains proof-of-concept exploits for a critical vulnerability chain in Sitecore Experience Platform (XP) versions up to 10.4.1.
## Vulnerabilities
- **CVE-2025-53694:** Information Disclosure
- **CVE-2025-53693:** Cache Poisoning
- **CVE-2025-53691:** Remote Code Execution
## Exploits
> All 3 exploits are available separately in my profile, the `chain.py` file contains the logic of the 3 orchestrated in a chain for cache poisoning to RCE escalation, the `cve_2025_5369*.py` files mentioned below were redundant and have been removed.
- `cve_2025_53694.py`: Information Disclosure PoC // Removed
- `cve_2025_53693.py`: Cache Poisoning PoC // Removed
- `cve_2025_53691.py`: RCE via Deserialization PoC // Removed
- `chain.py`: Complete exploit chain (all CVEs)
- `sitecore.yaml`: [Nuclei](https://github.com/projectdiscovery/nuclei) template, not validated or tested on real targets
- `test.py`: Test script for local environment, make sure to set the correct port // Temporarily removed, incomplete detection
## Usage
### Individual Exploits
- **[CVE-2025-53694](https://github.com/blueisbeautiful/CVE-2025-53694/tree/main):** `python3 exploit.py <target_url>`
- **[CVE-2025-53693](https://github.com/blueisbeautiful/CVE-2025-53693/tree/main):** `python3 exploit.py <target_url>`
- **[CVE-2025-53691](https://github.com/blueisbeautiful/CVE-2025-53691/tree/main):** `python3 exploit.py <target_url> --command "<command>"`
### Exploit Chain
```bash
python3 chain.py <target_url> --command "<command>"
```
### Nuclei template
- Download go
- Install nuclei
- Run `nuclei -t sitecore.yaml -u <target_url>` or `cat targets.txt | nuclei -t sitecore.yaml`
### Documentation
See full explanation [here](https://github.com/blueisbeautiful/CVE-2025-53694-to-CVE-2025-53691/blob/main/REPORT.md)
## Disclaimer
These exploits are for educational and research purposes only. Do not use them on systems you do not own or have permission to test.
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view