CISA Alerts on Sitecore RCE Vulnerabilities; Ongoing Exploits Target Next.js and DrayTek Devices

27.03.2025

CISA has added two critical Sitecore CMS vulnerabilities (CVE-2019-9874, CVE-2019-9875) to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. These deserialization flaws in the Sitecore.Security.AntiCSRF module allow attackers to execute arbitrary code via manipulated HTTP POST requests. While Sitecore confirmed attacks on CVE-2019-9874 in 2020, CVE-2019-9875 exploitation remains unverified. Federal agencies must apply patches by April 16, 2025.

Meanwhile, Akamai has detected exploitation attempts targeting CVE‑2025‑29927, a critical authorization bypass vulnerability in Next.js. Attackers manipulate the “x-middleware-subrequest” header to evade security controls, potentially gaining unauthorized access to sensitive resources. Exploits leveraging Next.js’s internal redirect logic resemble known proof-of-concept attacks.

Cybersecurity firm GreyNoise has also reported active exploitation of multiple DrayTek device vulnerabilities. These include CVE-2020-8515, a remote code execution flaw in various router models, and CVE-2021-20123 and CVE-2021-20124, which allow unauthenticated attackers to download files with root privileges from DrayTek VigorConnect. The attacks primarily target Indonesia, Hong Kong, the U.S., Lithuania, and Singapore.

These incidents highlight persistent threats against widely used software and networking devices, reinforcing the need for timely security updates and proactive defense measures.