CISA Warns of Sitecore RCE Flaws; Active Exploits Hit Next.js and DrayTek Devices
Introduction
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) catalog to include critical security flaws affecting Sitecore CMS, Next.js, and DrayTek devices. These vulnerabilities pose a significant risk, allowing attackers to execute arbitrary code, bypass security checks, and gain unauthorized access to sensitive data.
Organizations relying on these platforms must take immediate action to patch their systems and mitigate potential cyber threats.
Sitecore RCE Vulnerabilities Under Active Exploitation
Two critical remote code execution (RCE) vulnerabilities impacting Sitecore CMS and Experience Platform (XP) have been actively exploited:
- CVE-2019-9874 (CVSS score: 9.8): This deserialization vulnerability in the Sitecore.Security.AntiCSRF module allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized .NET objects via the __CSRFTOKEN HTTP POST parameter.
- CVE-2019-9875 (CVSS score: 8.8): Similar to CVE-2019-9874, but requires an authenticated attacker to exploit the vulnerability.
Although Sitecore acknowledged active exploitation of CVE-2019-9874 in 2020, there is no confirmation regarding CVE-2019-9875 being actively targeted. Given the critical nature of these vulnerabilities, federal agencies must apply patches by April 16, 2025, to prevent potential cyber intrusions.
Next.js Exploitation Attempts Observed
Security researchers at Akamai have detected early-stage attack attempts targeting a newly disclosed authorization bypass vulnerability in the Next.js web framework:
- CVE-2025-29927 (CVSS score: 9.1): This flaw allows attackers to bypass middleware-based security checks by spoofing the x-middleware-subrequest header. By crafting specific requests, cybercriminals can access restricted application resources, leading to potential data breaches and privilege escalation.
How Attackers Exploit Next.js?
A common exploitation technique involves manipulating the x-middleware-request header, using a string like:
src/middleware:src/middleware:src/middleware:src/middleware:src/middleware
This technique mimics multiple internal subrequests, triggering Next.js’s internal redirect logic and allowing unauthorized access to protected resources.
Active Exploits Targeting DrayTek Devices
According to GreyNoise, multiple DrayTek router vulnerabilities are being actively targeted, exposing users to remote code execution (RCE) and unauthorized file access. The impacted vulnerabilities include:
- CVE-2020-8515 (CVSS score: 9.8): A command injection vulnerability in DrayTek routers, allowing unauthenticated remote code execution (RCE) via shell metacharacters in the cgi-bin/mainfunction.cgi URI.
- CVE-2021-20123 (CVSS score: 7.5): A local file inclusion (LFI) flaw in DrayTek VigorConnect, permitting attackers to **download sensitive.