CISA Flags Exploited Sitecore CMS Flaws as Next.js and DrayTek Vulnerabilities Face Active Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two six-year-old vulnerabilities affecting Sitecore CMS and Experience Platform (XP) to its Known Exploited Vulnerabilities (KEV) catalog, citing confirmed instances of active exploitation.

  Vulnerability Alerts   Mar 27, 2025  Add to Reading List
CISA Flags Exploited Sitecore CMS Flaws as Next.js and DrayTek Vulnerabilities Face Active Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two six-year-old vulnerabilities affecting Sitecore CMS and Experience Platform (XP) to its Known Exploited Vulnerabilities (KEV) catalog, citing confirmed instances of active exploitation.

Sitecore CMS Flaws Under Active Attack

The newly listed vulnerabilities include:

  • CVE-2019-9874 (CVSS score: 9.8): A deserialization flaw in the Sitecore.Security.AntiCSRF module, enabling unauthenticated attackers to execute arbitrary code via a maliciously crafted .NET object in the __CSRFTOKEN HTTP POST parameter.

  • CVE-2019-9875 (CVSS score: 8.8): A similar deserialization vulnerability, but requiring authentication to exploit.

Although Sitecore acknowledged active exploitation of CVE-2019-9874 in March 2020, it did not report evidence of CVE-2019-9875 being leveraged in attacks. Federal agencies have been given a deadline of April 16, 2025, to patch the flaws and secure their systems.

Next.js Authorization Bypass Vulnerability (CVE-2025-29927) Faces Exploit Attempts

In parallel, Akamai has detected early-stage exploit attempts against a newly disclosed flaw in the Next.js web framework (CVE-2025-29927, CVSS score: 9.1). This authorization bypass vulnerability allows attackers to circumvent middleware-based security checks by exploiting the "x-middleware-subrequest" header, granting them unauthorized access to protected application resources.

According to Checkmarx researcher Raphael Silva, attackers are using payloads that manipulate the header to simulate multiple internal subrequests, a tactic resembling public proof-of-concept exploits.

DrayTek Router Exploits Intensify

Meanwhile, GreyNoise has reported ongoing attacks targeting vulnerabilities in DrayTek networking devices, including:

  • CVE-2020-8515 (CVSS score: 9.8): A command injection flaw allowing remote code execution (RCE) as root via the cgi-bin/mainfunction.cgi endpoint.

  • CVE-2021-20123 & CVE-2021-20124 (CVSS score: 7.5): Local file inclusion (LFI) vulnerabilities in DrayTek VigorConnect, enabling unauthenticated attackers to retrieve arbitrary system files with root privileges.

Attack traffic for CVE-2020-8515 has been traced to Indonesia, Hong Kong, and the U.S., while CVE-2021-20123 and CVE-2021-20124 are being actively exploited in Lithuania, the U.S., and Singapore.

Ongoing Cybersecurity Threats Demand Urgent Action

With multiple legacy and emerging vulnerabilities being actively exploited, organizations are urged to apply patches immediately and harden their security defenses to mitigate potential attacks.