Active Exploitation of Six-Year-Old Security Flaws in Sitecore and DrayTek Devices: What You Need to Know

By /

Listen to this Post

In recent cybersecurity developments, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued new warnings regarding several serious vulnerabilities in widely used platforms. Despite being discovered years ago, the flaws are now being actively exploited in the wild. These include critical security holes in Sitecore CMS and Experience Platform, as well as DrayTek routers. Federal agencies are now under a mandate to patch their systems, and organizations worldwide should pay close attention to these threats.

Vulnerabilities in Sitecore CMS and Experience Platform

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added two critical vulnerabilities, both dating back to 2019, to its Known Exploited Vulnerabilities (KEV) catalog. These flaws affect Sitecore CMS and Experience Platform (XP), posing significant risks to users. The vulnerabilities in question are:

  • CVE-2019-9874 (CVSS score: 9.8) – A deserialization vulnerability in the Sitecore.Security.AntiCSRF module. It allows unauthenticated attackers to execute arbitrary code by sending a serialized .NET object within the HTTP POST parameter __CSRFTOKEN.

  • CVE-2019-9875 (CVSS score: 8.8) – Another deserialization vulnerability, but this one impacts authenticated users. By exploiting the vulnerability through the __CSRFTOKEN parameter, attackers can also execute arbitrary code.

Although the CVE-2019-9874 flaw has been acknowledged by Sitecore as being actively exploited as of March 2020, there have been no clear indications regarding the exploitation of CVE-2019-9875. While details about the exploitation techniques remain scarce, CISA’s decision to add these flaws to the KEV catalog indicates heightened concern due to the active exploitation observed.

Akamai and Next.js Vulnerability

Meanwhile, Akamai, a prominent web infrastructure company, reported a newly disclosed security flaw in the Next.js web framework (CVE-2025-29927, CVSS score: 9.1). This vulnerability is an authorization bypass, which can enable an attacker to spoof the x-middleware-subrequest header. Doing so allows bypassing middleware-based security checks, potentially granting unauthorized access to sensitive resources.

The exploitation technique involves creating multiple internal subrequests within a single request, triggering Next.js’s internal redirect logic. This technique closely mirrors public proof-of-concept exploits that can easily be weaponized.

Exploitation of DrayTek Routers

In a separate development, threat intelligence firm GreyNoise reported ongoing exploitation of vulnerabilities in several DrayTek router models. These vulnerabilities include:

  • CVE-2020-8515 (CVSS score: 9.8) – A command injection vulnerability in multiple DrayTek routers, allowing remote code execution as root through a specially crafted request to the cgi-bin/mainfunction.cgi endpoint.

  • CVE-2021-20123 (CVSS score: 7.5) and CVE-2021-20124 (CVSS score: 7.5) – These local file inclusion vulnerabilities impact DrayTek VigorConnect, enabling unauthenticated attackers to download arbitrary files with root privileges.

GreyNoise has observed that countries like Indonesia, Hong Kong, and the United States have become key targets of attacks exploiting CVE-2020-8515, while Lithuania, the United States, and Singapore are primarily targeted by CVE-2021-20123 and CVE-2021-20124.

What Undercode Says:

The resurgence of active exploitation of older vulnerabilities highlights several important cybersecurity lessons:

  1. The Importance of Timely Patching: Even flaws that were discovered years ago can still pose significant risks if not patched. Many organizations may overlook older vulnerabilities, especially if they aren’t regularly updated on new exploitation tactics. CISA’s mandatory patching deadline of April 16, 2025, underscores the importance of keeping systems up-to-date, even for older software.

  2. The Growing Threat of Deserialization Vulnerabilities: Deserialization flaws, like the ones impacting Sitecore CMS, continue to be a lucrative target for cybercriminals. These vulnerabilities often allow for arbitrary code execution, which can lead to remote code execution and total system compromise. While Sitecore and other software vendors have issued patches for these issues, they often remain unpatched in many organizations, making them prime targets for attackers.

  3. Increased Complexity in Web Frameworks: The Next.js vulnerability is a prime example of how modern web frameworks, while powerful, can introduce new avenues for exploitation. The authorization bypass flaw in Next.js demonstrates that even sophisticated security measures like middleware-based security can be bypassed by attackers with knowledge of the system’s internals. As web technologies evolve, so must the security measures implemented to protect them.

  4. Global Impact of Vulnerabilities: The exploitation of DrayTek router flaws highlights the global nature of cybercrime. These devices are widely used in many countries, making them a consistent target for attackers. The fact that different regions are targeted by different vulnerabilities shows the need for a nuanced approach to cybersecurity, as attacks may vary based on local infrastructure and attack strategies.

  5. Emerging Threats and Evolving Tactics: The fact that vulnerabilities are being actively exploited years after their disclosure indicates an ongoing gap between the discovery of flaws and their remediation. Attackers evolve their tactics, often using tools like the x-middleware-subrequest header or leveraging older vulnerabilities to gain initial access and move through systems undetected.

Fact Checker Results

  • Accuracy of CISA’s Advisory: CISA’s identification of these older vulnerabilities as being actively exploited is valid, as corroborated by other cybersecurity firms like GreyNoise.

  • Exploitation Techniques: While specific exploitation details remain limited, active probing and attempts to weaponize these flaws have been observed, especially with DrayTek and Sitecore vulnerabilities.

  • Scope of Impact: The vulnerabilities in Sitecore and DrayTek routers are indeed significant, but widespread exploitation is still emerging, suggesting the need for heightened vigilance and security updates.

References:

Reported By: https://thehackernews.com/2025/03/cisa-flags-two-six-year-old-sitecore.html
Extra Source Hub:
https://www.linkedin.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: