Vulnerability Alert
The United States Cybersecurity and Infrastructure Security Agency (CISA) has recently added two outdated security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, which affect Sitecore CMS and Experience Platform (XP). This decision was made due to evidence of active exploitation of these vulnerabilities.
The affected vulnerabilities are as follows:
- CVE-2019-9874 (CVSS score: 9.8) – A deserialization vulnerability exists in the Sitecore.Security.AntiCSRF module, allowing an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
- CVE-2019-9875 (CVSS score: 8.8) – A deserialization vulnerability exists in the Sitecore.Security.AntiCSRF module, allowing an authenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
Currently, there is limited information available on how these vulnerabilities are being exploited in the wild and by whom. However, Sitecore reported being aware of active exploitation of CVE-2019-9874 in an update on March 30, 2020. There is no mention of CVE-2019-9875 being exploited.
In response to the active exploitation, federal agencies are required to apply the necessary patches by April 16, 2025, to secure their networks.
Meanwhile, Akamai has reported observing initial exploit attempts targeting a newly disclosed security flaw in the Next.js web framework, identified as CVE-2025-29927, with a CVSS score of 9.1. This vulnerability is an authorization bypass that could allow an attacker to bypass middleware-based security checks by spoofing a header called “x-middleware-subrequest,” potentially enabling unauthorized access to sensitive application resources.
Checkmarx’s Raphael Silva explained that a successful exploitation of this vulnerability could permit an attacker to access sensitive resources. Akamai noted that one notable technique involves using the x-middleware-request header with a specific value, simulating multiple internal subrequests within a single request, triggering Next.js’s internal redirect logic, and closely resembling publicly available proof-of-concept exploits.
These disclosures follow a warning from GreyNoise about active exploitation attempts recorded against several known vulnerabilities in DrayTek devices. The affected vulnerabilities include:
- CVE-2020-8515 (CVSS score: 9.8) – An operating system command injection vulnerability in multiple DrayTek router models, allowing remote code execution as root via shell metacharacters to the cgi-bin/mainfunction.cgi URI.
- CVE-2021-20123 (CVSS score: 7.5) – A local file inclusion vulnerability in DrayTek VigorConnect, allowing an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges via the DownloadFileServlet endpoint.
- CVE-2021-20124 (CVSS score: 7.5) – A local file inclusion vulnerability in DrayTek VigorConnect, allowing an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges via the WebServlet endpoint.
Indonesia, Hong Kong, and the United States have been identified as the top destination countries for attack traffic related to CVE-2020-8515, while Lithuania, the United States, and Singapore have been targeted in attacks exploiting CVE-2021-20123 and CVE-2021-20124.
