CISA Warns of Sitecore RCE Flaws; Active Exploits Target Next.js and DrayTek Devices

DheelepDheelep
4 min read

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added two long-standing security vulnerabilities affecting Sitecore CMS and Experience Platform (XP) to its Known Exploited Vulnerabilities (KEV) catalog due to confirmed active exploitation in the wild. These vulnerabilities, first disclosed six years ago, highlight the ongoing risks associated with unpatched software and legacy security weaknesses.

The identified flaws include:

  • CVE-2019-9874 (CVSS score: 9.8) – A deserialization vulnerability within the Sitecore.Security.AntiCSRF module. This flaw enables an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object through the HTTP POST parameter __CSRFTOKEN.

  • CVE-2019-9875 (CVSS score: 8.8) – A similar deserialization vulnerability in the Sitecore.Security.AntiCSRF module, but this one requires authentication. An attacker with valid credentials can still achieve remote code execution by leveraging the same __CSRFTOKEN parameter.

Although no further specifics have been disclosed regarding the exact attack methods or the threat actors exploiting these vulnerabilities, Sitecore acknowledged active exploitation of CVE-2019-9874 in a security update dated March 30, 2020. However, the company has not confirmed exploitation of CVE-2019-9875.

Given the ongoing risk, CISA has mandated all federal agencies to apply the necessary security patches before April 16, 2025, to mitigate potential threats.


Exploitation of Next.js (CVE-2025-29927)

In parallel with the Sitecore vulnerabilities, Akamai has detected active exploitation attempts against a newly disclosed authorization bypass vulnerability affecting the Next.js web framework. The vulnerability, tracked as CVE-2025-29927 (CVSS score: 9.1), enables attackers to circumvent middleware-based security mechanisms using a header spoofing technique.

Technical Breakdown

The exploit revolves around manipulating a specially crafted request containing the header x-middleware-subrequest, which is responsible for managing internal request flows in Next.js applications. By exploiting this loophole, attackers can gain unauthorized access to sensitive resources within affected applications.

Security researchers at Checkmarx highlighted a particularly notable exploitation technique that involves using the x-middleware-request header with the following pattern:

src/middleware:src/middleware:src/middleware:src/middleware:src/middleware

This method effectively triggers Next.js's internal redirect logic, mimicking publicly available proof-of-concept (PoC) exploits. The attack essentially simulates multiple internal subrequests within a single request, manipulating the system to bypass security controls and access restricted resources.

Given the severity of this vulnerability, organizations relying on Next.js for their applications must prioritize security updates and implement additional middleware validation checks to prevent exploitation.


DrayTek Devices Under Attack

In a separate development, GreyNoise, a cybersecurity threat intelligence firm, has reported widespread exploitation of multiple known vulnerabilities in DrayTek routers. The targeted vulnerabilities include:

  • CVE-2020-8515 (CVSS score: 9.8) – An OS command injection flaw affecting multiple DrayTek router models. Attackers can achieve remote code execution (RCE) as root by sending shell metacharacters via the cgi-bin/mainfunction.cgi endpoint.

  • CVE-2021-20123 (CVSS score: 7.5) – A local file inclusion (LFI) vulnerability in DrayTek VigorConnect. It allows an unauthenticated attacker to download arbitrary system files with root privileges through the DownloadFileServlet endpoint.

  • CVE-2021-20124 (CVSS score: 7.5) – Another local file inclusion (LFI) vulnerability in DrayTek VigorConnect, granting unauthenticated attackers access to sensitive system files via the WebServlet endpoint.

GreyNoise has observed significant attack activity across multiple geographic locations. The top targeted regions for each vulnerability are as follows:

  • CVE-2020-8515: Indonesia, Hong Kong, and the United States

  • CVE-2021-20123 & CVE-2021-20124: Lithuania, the United States, and Singapore

These findings indicate that cybercriminals continue to exploit old and well-documented vulnerabilities, leveraging them against unpatched systems worldwide. Organizations using DrayTek devices must apply the latest firmware updates, enable network segmentation, and deploy intrusion detection systems (IDS) to mitigate potential threats.


Key Takeaways and Recommendations

  1. Patch Management is Critical – The fact that six-year-old vulnerabilities like CVE-2019-9874 are still actively exploited highlights the importance of consistent patching and security updates.

  2. Monitor Attack Trends – Cybersecurity teams must stay updated on emerging threat intelligence to proactively detect and mitigate active exploitation attempts.

  3. Strengthen Access Controls – Vulnerabilities like CVE-2025-29927 in Next.js demonstrate how weak authentication mechanisms can be bypassed using header manipulation. Implementing strict validation of request headers can significantly reduce the risk of exploitation.

  4. Secure Legacy Systems – The DrayTek exploits reveal that attackers continue to target legacy infrastructure with known vulnerabilities. Regular penetration testing and security audits can help identify and fix such weaknesses.

  5. Enhance Network Defense Mechanisms – Deploying Web Application Firewalls (WAFs), Intrusion Prevention Systems (IPS), and Endpoint Detection & Response (EDR) solutions can limit the impact of exploitation attempts.

With attackers increasingly focusing on unpatched software, middleware security flaws, and legacy devices, cybersecurity teams must remain vigilant and proactive to safeguard their systems from emerging threats.


Stay Updated with Blackout Protocol

For more in-depth cybersecurity insights, news updates, and detailed threat analysis, stay tuned to Blackout Protocol. We trace the untraceable. We hunt the undetected.

0
Subscribe to my newsletter

Read articles from Dheelep directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Dheelep
Dheelep