Is b For Backdoor? Pre-Auth RCE Chain In Sitecore Experience Platform labs.watchtowr.com/is-b-for-…

Welcome to June! We’re back—this time, we’re exploring Sitecore’s Experience Platform (XP), demonstrating a pre-auth RCE chain that we reported to Sitecore in February 2025. We’ve spent a bit of time recently looking at CMS’s given the basic fact that they represent attractive targets for attackers. As you may remember, Kentico Xperience CMS obtained our gaze earlier in 2025, and patched rapidly (typically the leading inhibitor to our publishing schedule). In the blog post, you can read about how we leveraged authentication “weaknesses” to gain full control of fully patched (at the time) Kentico deployments.

Today, we’ll be following a similar path - it does appear that CMSs and password security are actually mutually exclusive concepts, and struggle to exist in the same universe