The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken a significant step in addressing cybersecurity threats by adding two long-standing vulnerabilities affecting Sitecore's Content Management System (CMS) to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities, identified as CVE-2019-9874 and CVE-2019-9875, have been linked to active exploitation, raising alarms among federal agencies and organizations relying on Sitecore for their digital infrastructure.
CVE-2019-9874, which carries a critical CVSS score of 9.8, is a deserialization vulnerability in the Sitecore.Security.AntiCSRF module. This flaw allows unauthenticated attackers to execute arbitrary code by sending a serialized .NET object through the HTTP POST parameter __CSRFTOKEN. Meanwhile, CVE-2019-9875, with a CVSS score of 8.8, also involves deserialization but affects authenticated users, enabling them to exploit the same module under similar conditions.
Sitecore has acknowledged awareness of active exploitation of CVE-2019-9874 since March 30, 2020, although it has not reported any incidents regarding CVE-2019-9875. In light of these vulnerabilities, CISA has mandated that federal agencies apply necessary patches by April 16, 2025, to secure their networks against potential attacks.
On another front, Akamai has reported observing exploit attempts targeting a newly disclosed security flaw in the Next.js web framework, identified as CVE-2025-29927. This vulnerability, which has a CVSS score of 9.1, involves an authorization bypass that could allow attackers to circumvent middleware-based security checks. According to Checkmarx's Raphael Silva, successful exploitation of this vulnerability could grant unauthorized access to sensitive application resources.
“Among the identified payloads, one notable technique involves using the x-middleware-request header with the value src/middleware:src/middleware:src/middleware:src/middleware:src/middleware,” Silva explained. “This approach simulates multiple internal subrequests within a single request, triggering Next.js's internal redirect logic — closely resembling several publicly available proof-of-concept exploits.”
Meanwhile, GreyNoise Intelligence has issued warnings about active exploitation attempts against several known vulnerabilities in DrayTek devices, which have been reported to coincide with widespread automatic rebooting of these devices. The vulnerabilities under scrutiny include CVE-2020-8515, CVE-2021-20123, and CVE-2021-20124, all of which have been actively exploited in recent weeks.
Specifically, CVE-2020-8515 is an operating system command injection vulnerability affecting multiple DrayTek router models, allowing remote code execution as root via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This vulnerability has seen activity from 82 different IP addresses over the past month, with Indonesia, Hong Kong, and the United States identified as the top sources of attack traffic.
Furthermore, CVE-2021-20123 and CVE-2021-20124 are local file inclusion vulnerabilities in DrayTek's VigorConnect, which could let unauthenticated attackers download arbitrary files from the underlying operating system with root privileges. The exploitation of these vulnerabilities has been observed from 23 and 22 IP addresses, respectively, with Lithuania, the U.S., and Singapore being the primary targets.
DrayTek has not linked the automatic reboots of devices directly to these vulnerabilities, but the timing of the incidents has raised concerns. On March 4, 2025, the company urged customers to upgrade their firmware in connection with buffer overflow vulnerabilities tracked as CVE-2024-51138 and CVE-2024-51139. The company thanked Faraday Security for reporting these issues, which were disclosed in a blog post on March 11, 2025.
As cyber threats continue to evolve, the need for organizations to stay vigilant and proactive in their cybersecurity measures has never been clearer. The recent disclosures regarding vulnerabilities in both Sitecore and DrayTek devices underscore the importance of timely patching and updates to safeguard against potential exploitation.
With CISA’s deadline for federal agencies approaching, organizations must prioritize their cybersecurity strategies to mitigate risks associated with these vulnerabilities. The ongoing monitoring of exploit attempts, as highlighted by Akamai and GreyNoise, further emphasizes the necessity for robust security practices in today’s digital landscape.
In conclusion, the active exploitation of these vulnerabilities showcases the persistent threats faced by organizations and the critical need for ongoing vigilance in cybersecurity efforts. As the landscape of cyber threats continues to evolve, staying informed and prepared is essential for safeguarding sensitive information and maintaining operational integrity.
