Based on evidence of active exploitation, the US Cybersecurity and Infrastructure Security Agency (CISA) has added two six-year-old security flaws that affect Sitecore CMS and Experience Platform (XP) to its known exploited vulnerabilities (KEV) catalogue.
The vulnerabilities are listed below –
- CVE-2019-9874 (CVSS score: 9.8) – De-subsidization vulnerability of sitecore.security.anticsrf module. This allows unauthenticated attackers to execute arbitrary code by sending a serialized .net object with the http post post parameter.
- CVE-2019-9875 (CVSS score: 8.8) – De-subsidization vulnerability of Sitecore.security.anticsRf module. This allows an authenticated attacker to send a serialized .NET object with the HTTP POST parameter __CSRFTOKEN to execute arbitrary code.
Currently in an update shared on March 30, 2020, Sitecore states that it is “aware of aggressive exploitation” of CVE-2019-9874, but there is no details as to whom the flaws are currently weaponized. The company has not mentioned the misuse of CVE-2019-9875.
In light of aggressive exploitation, federal agencies must ensure that they have their networks by April 16, 2025.
Akamai evolves as stated that early exploit attempts were observed to investigate potential servers with newly disclosed security flaws affecting the Next.JS Web Framework (CVE -2025‑29927, CVSS score: 9.1).
Exploitation, a vulnerability that bypasses authorization, could potentially circumvent middleware-based security checks by spoofing a header called “X-Middleware-SubRequest” that attackers use to manage internal request flows. This could allow unauthorized access to sensitive application resources, said Raphael Silva of CheckMarx.
“One of the identified payloads involves using X-Middleware-Request headers with the value SRC/Middleware: SRC/Middleware: SRC/Middleware: SRC/Middleware: SRC/Middleware: SRC/Middleware: SRC/Middleware: SRC/Middleware: SRC/Middleware”
“This approach simulates multiple internal subrequests within a single request and triggers internal redirection logic in next.js.
The disclosure also follows a warning from Greynoise about aggressive exploitation attempts recorded against some known vulnerabilities in Draytek devices.
The threat intelligence company said it saw wild activity observed for the following CVE identifiers –
- CVE-2020-8515 (CVSS score: 9.8) – Operating system command injection vulnerability in multiple draytek router models that allow remote code execution as root to cgi-bin/mainfunction.cgi uri via shell metacolorator
- CVE-2021-20123 (CVSS score: 7.5) – Draytek VigorConnect local file inclusion vulnerability. This allows unauthorized attackers to download any file from any operating system from the underlying operating system via the Download Fileservlet Endpoint.
- CVE-2021-20124 (CVSS score: 7.5) – Local file inclusion vulnerability in draftek vigorconnect. This allows unauthenticated attackers to download any file from the underlying operating system with root privileges via WebServlet Endpoint.
Indonesia, Hong Kong and the US have appeared as top countries in CVE-2020-8515 attack traffic, while Lithuania, the US and Singapore have been selected as part of the attacks that utilize CVE-2021-20123 and CVE-2021-20124.
