CVE-2025-27218
Sitecore Unlocked: The Tale of the Toxic Thumbnail
Alon Barad
Software EngineerJan 30, 2026·6 min read·17 visits
Executive Summary (TL;DR)
Unauthenticated RCE in Sitecore 10.4. Attackers send a malicious serialized .NET object in the 'ThumbnailsAccessToken' header. The server deserializes it using the banned `BinaryFormatter`, granting the attacker a shell. Patch immediately with KB1002844.
A critical insecure deserialization vulnerability in Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 allows unauthenticated remote attackers to execute arbitrary code via the 'ThumbnailsAccessToken' HTTP header. Despite a confusingly low initial CVSS score, this is a textbook RCE leading to full system compromise.
The Hook: A Ghost in the Header
It is the year 2025. Flying cars are still a prototype, AI writes our poetry, and yet, somehow, we are still fighting BinaryFormatter vulnerabilities in enterprise software. Enter Sitecore, the heavyweight champion of Digital Experience Platforms (DXP). It’s complex, it’s expensive, and it powers some of the biggest websites on the planet.
Recently, a researcher discovered a rather peculiar HTTP header being processed by Sitecore XM and XP versions 10.4: ThumbnailsAccessToken. To the untrained eye, this looks like a boring authentication token for fetching image previews. But to a hacker, it smells like opportunity.
The component handling this header wasn't just checking a string. It wasn't validating a JWT. It was taking whatever data you fed it, treating it as a serialized .NET object, and attempting to bring it back to life. In the security world, we call this "trusting the user to hold a loaded gun." And in this specific case, the gun was pointed directly at the server's head.
The Flaw: The Return of the BinaryFormatter
The root cause of CVE-2025-27218 is a classic case of Insecure Deserialization (CWE-502). Specifically, the application utilizes the System.Runtime.Serialization.Formatters.Binary.BinaryFormatter class to process the contents of the ThumbnailsAccessToken header.
Microsoft has been screaming from the rooftops for years: Do not use BinaryFormatter. It is unsafe by design. There is no way to secure it. If you pass untrusted data to it, you lose. Period. Yet, legacy codebases—and occasionally new mistakes—keep this zombie alive.
When the Sitecore application receives a request with this header, it performs the following fatal dance:
- Reads the string from the header.
- Base64 decodes it.
- Passes the byte stream directly to
BinaryFormatter.Deserialize().
Because BinaryFormatter is a polymorphic serializer, it will instantiate whatever class the data stream tells it to. If an attacker sends a serialized object containing a "gadget" (a class present in the .NET framework that does something dangerous upon instantiation or property access), the deserializer obliges. It creates the object, runs the dangerous code, and hands the server keys to the attacker.
The Code: Autopsy of a Vulnerability
Let's look at the logic flow. While the exact proprietary source code isn't public, the behavior can be reconstructed with high accuracy based on the exploit mechanics. The vulnerability exists in how the thumbnail generation endpoint authenticates requests.
The Vulnerable Logic (Conceptual C#):
public void ProcessRequest(HttpContext context)
{
string token = context.Request.Headers["ThumbnailsAccessToken"];
if (!string.IsNullOrEmpty(token))
{
byte[] bytes = Convert.FromBase64String(token);
using (MemoryStream ms = new MemoryStream(bytes))
{
// THE KILL ZONE
BinaryFormatter formatter = new BinaryFormatter();
object trustedToken = formatter.Deserialize(ms);
// ... validate trustedToken ...
}
}
}See the issue? The code deserializes the object before it validates what the object actually is. By the time the code reaches the validation step (if it even does), the damage is already done. The act of deserialization triggers the payload execution.
The fix involves removing BinaryFormatter entirely and replacing it with a safe serialization mechanism (like JSON) or strictly validating the input before it touches any deserializer. In KB1002844, Sitecore essentially surgically removes this unsafe handling.
The Exploit: From Header to Shell
Exploiting this is trivially easy for anyone with a copy of ysoserial.net. The attack does not require authentication, meaning any exposed Sitecore instance is fair game.
The Attack Chain:
- Generate Payload: The attacker uses
ysoserial.netto create a serialized object using a known gadget chain. TheWindowsIdentitygadget is a popular choice for this environment.ysoserial.exe -g WindowsIdentity -f BinaryFormatter -c "cmd.exe /c whoami > C:\Windows\Temp\pwned.txt" - Encode: The binary blob output from ysoserial is Base64 encoded to make it transport-safe for HTTP headers.
- Deliver: The attacker sends a simple GET request.
Visualizing the Attack:
We can see this in action in the Metasploit module exploit/windows/http/sitecore_xp_cve_2025_27218. The module automates the payload generation and header injection, turning a complex deserialization theory into a "point and click" shell.
The Impact: The CVSS Score is a Lie
You might notice the CVSS score is 5.3. You might look at that and think, "Medium severity? I can patch this next month."
Do not do that.
The NVD score likely reflects a misunderstanding of the impact scope or an initial classification error (perhaps confusing it with information disclosure). However, the technical reality is absolute Remote Code Execution. The attacker executes commands as the IIS user (usually NT AUTHORITY\NETWORK SERVICE or a dedicated service account).
From that foothold, an attacker can:
- Dump connection strings to your database.
- Exfiltrate customer data.
- Encrypt the server with ransomware.
- Pivot to the internal network.
The EPSS score sits at the 98th percentile for a reason. This is a "drop everything and fix it" vulnerability, regardless of what the generic score says.
The Fix: Closing the Window
If you run Sitecore XM or XP 10.4, you have one job today: Install KB1002844.
This hotfix patches the vulnerability by altering how the ThumbnailsAccessToken is processed. Unlike some mitigations that just filter gadgets (which researchers eventually bypass), this patch addresses the root cause.
Defense in Depth Strategies:
- WAF Rules: If you cannot patch immediately, configure your WAF to block any request containing the
ThumbnailsAccessTokenheader. Unless you have a very specific, verified need for it, block it. If you do need it, alert on header values that exceed typical length or contain non-alphanumeric characters (indicating Base64 blobs). - EDR Monitoring: Watch for
w3wp.exespawning unusual child processes. IIS worker processes shouldn't typically be launchingcmd.exeorpowershell.exe. - Network Segmentation: Why is your Sitecore management instance exposed to the public internet? Put it behind a VPN.
Official Patches
Technical Appendix
CVSS Score
5.3/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NEPSS Probability
57.65%
Top 2% most exploited
Affected Systems
Sitecore Experience Manager (XM) 10.4Sitecore Experience Platform (XP) 10.4
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Sitecore Experience Manager (XM) Sitecore | 10.4.0 < KB1002844 | 10.4 + KB1002844 |
Sitecore Experience Platform (XP) Sitecore | 10.4.0 < KB1002844 | 10.4 + KB1002844 |
| Attribute | Detail |
|---|---|
| CVE ID | CVE-2025-27218 |
| CWE | CWE-502 (Insecure Deserialization) |
| CVSS v3.1 | 5.3 (Official) / 9.8 (Real World Impact) |
| EPSS Score | 0.576 (98th Percentile) |
| Attack Vector | Network (HTTP Header) |
| Exploit Status | Weaponized (Metasploit Available) |
MITRE ATT&CK Mapping
CWE-502
Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Known Exploits & Detection
Vulnerability Timeline
Public Disclosure / Metasploit Module surfaced
2025-01-06
NVD Published CVE
2025-02-20
Increased exploitation chatter
2025-02-25
