U.S. CISA Adds Sitecore CMS and XP, and GitHub Action Flaws to Its Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added several vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the importance of addressing these critical flaws to protect against potential cyber threats.
Sitecore CMS and XP Vulnerabilities
CISA has identified two critical vulnerabilities in Sitecore CMS and Experience Platform (XP): CVE-2019-9875 and CVE-2019-9874. The first vulnerability, CVE-2019-9875, affects the anti-CSRF module in Sitecore through version 9.1, allowing an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter.
The second vulnerability, CVE-2019-9874, is related to deserialization vulnerabilities in Sitecore CMS versions 7.0-7.2 and XP versions 7.5-8.2, allowing unauthenticated attackers to execute code via a malicious __CSRFTOKEN in HTTP POST requests.
GitHub Action Flaw
CISA has also identified CVE-2025-30154, a vulnerability related to the compromise of the GitHub action reviewdog/action-setup@v1 that occurred on March 11, 2025. This flaw allowed secrets to be leaked to workflow logs, compromising several repositories.
Experts Weigh In
"A supply chain attack on tj-actions/changed-files caused many repositories to leak their secrets over the weekend," reported Wiz Research. "An additional supply chain attack on reviewdog/actions-setup@v1 may have contributed to the compromise of tj-actions/changed-files."
Federal Agencies and Private Organizations
CISA orders federal agencies to fix these vulnerabilities by April 14, 2025 (CVE-2025-30154) and April 16, 2025 (Sitecore CMS and XP Deserialization flaw). Private organizations are also advised to review the catalog and address the vulnerabilities in their infrastructure.
Conclusion
The addition of these vulnerabilities to the KEV catalog serves as a reminder of the importance of staying vigilant against potential cyber threats. By addressing these critical flaws, federal agencies and private organizations can help protect their networks and prevent attacks exploiting these vulnerabilities.
Stay informed about the latest cybersecurity news and trends by following me on Twitter: @securityaffairs and Facebook and Mastodon.