Information Disclosure in ItemService API with a restricted anonymous user, leading to exposure of cache keys using a brute-force approach### CVE-2025-53694: Information Disclosure in ItemService API with a restricted anonymous user, leading to exposure of cache keys using a brute-force approach
The ItemService API, accessible at `/sitecore/shell/api/sitecore/ItemService/GetChildren`, allows unauthenticated users to query the Sitecore database. By providing a valid item GUID and database name, an attacker can enumerate the internal structure of the Sitecore instance, including sensitive information about items, templates, and system configuration.
**Information Disclosure:** The attacker uses CVE-2025-53694 to gather information about the target system.
## Mitigation
Sitecore has released patches for this vulnerabilitie. It is strongly recommended to upgrade to the latest version of Sitecore XP or apply the provided security patches.
## Reference
[1] Watchtowr Labs. (2025). [*Cache Me If You Can: Sitecore Experience Platform Cache Poisoning to RCE*.](https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/)
登录后查看神龙缓存的 POC 文件快照
登录查看